Slashdot Mirror
Ex-Employee Busted For Tampering With ERP System
ErichTheRed writes "Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. According to the NYTimes article, a former employee of this company allegedly accessed the ERP system after he was terminated and had a little 'fun.' 'Employees at Spellman began reporting that they were unable to process routine transactions and were receiving error messages. An applicant for his old position received an e-mail from an anonymous address, warning him, “Don’t accept any position.” And the company’s business calendar was changed by a month, throwing production and finance operations into disorder.' As an IT professional myself, I can't ever see a situation that would warrant something like this. Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
For everyone!!
... right?
If programs would be read like poetry, most programmers would be Vogons.
Proves that security is a process, not a product.
I always suspect that companies in these cases deserve what happens to them, even though the other party in the fiasco demonstrates their own lack of ethical principals.
It's like a psychological glitch, I guess.
I have yet to work somewhere where the password management wasn't simply a nightmare.
Isn't there some utility that could be added to all systems and unify password management?
Build your own energy sources from scratch. http://otherpower.com/
He plead not guilty, and he's yet to be convicted, but I can definitely envision a scenario whereby shutting his account off could cause catastrophic failure of many systems. This typically happens when someone does not follow best practices with service accounts and such and is not an uncommon situation.
That being said, he could have been really fucking pissed at them and decided to fuck with shit. Some management out there can be real fuckheads to their employees.
Nobody is ever going to trust this guy near anything production ever again... Yeah it sucks when you get terminated. There's nothing that would ever warrant this type of behavior no matter how egregious the conditions or the people were. I won't be surprised if his former employer goes to the feds and tries to argue that he be arrested on computer crimes.
Yes Francis, the world has gone crazy.
Derp is right... no better way to destroy any hope of a career, than to do something monumentally stupid like this.
I've left positions that have been, to put it charitably, crap. Once it involved hard feelings against an asshat that destroyed the department.
OTOH, the golden rule is to never touch the machinery. EEOC and labor laws be damned, HR critters do talk to each other; even if your stupid stunt never made the news, it will make the rounds. Rest assured this guy will have to move to the other part of the country at the very least.
Quo usque tandem abutere, Nimbus, patientia nostra?
I have been mulling over this fact for a while now and some conclusions have been forming that I find to be extremely disturbing.
1. Degrees in "IT" are worthless in that they do not pertain particularly well with technology as it seems to evolve very quickly.
2. Degrees in "IT" are worthless because there is no one standard like there is with law and medicine.
3. As a resort against the first two problems, the industry has favored "certifications" but the problem with that is they become little more than fancy product endorsements which, as many of us know, does not guarantee real knowledge or understanding, but only guarantees that someone has been listed as passing a test in some database somewhere.
I think item 3 really needs to be appreciated. It's all about the cert isn't it? And these certs are in specific brands and ranges of products... often specific products. Imagine (warning-- car analogy) you were pulled over by a cop and you are asked for your license to drive. You are then arrested because your license does not cover you make or model of the car you are driving.
Obviously that doesn't happen because a driver's license covers general knowledge and understanding of the rules of the road and knowledge of standards about driving and signage and the like.
Why can't we have such standards for IT? Well, for starters, companies like Microsoft can't handle standards. They have to make everything proprietary so that they can manipulate and dominate markets. This is a similar problem with Cisco though they do it all to a much lesser degree and at times use different terminology instead of different technology. (Though clearly proprietary Cisco protocols exist.)
For all of those people who have been a bit confused about the issue of standards and especially "open" standards, this may be a key issue which might help you understand why standards are so important. At present, standards are quite literally owned by business entities in part or in whole and the right to live by them come at a price... or several prices.
As a result of all of this, practitioners of IT are not all the same and can't be held to any given standard of any sort whether it is conduct or knowledge or standards of practice.
IT People are not "Professionals" as much as we would like to think we are. We can behave that way. We can dress that way. We can follow "standards" but which ones? There are so many. And so many products to endorse along the way. We are as "professional" as NASCAR drivers with dozens of logos plastered on our resumes.
How did this all happen? We can thank the likes of Microsoft for this. And until real standards are adopted world-wide, we cannot have a way forward out of this mess. Thanks to Microsoft's [successful] efforts to corrupt ISO standards, even "standards compliance" may not be an option. And who does it harm?
It harms YOU if you want to be considered to be "Professional."
>> Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite." The only reason the executive freak out at this is because most of then have absolutelly no idea what could happen, and how it could happen... When a sales rep leaves with his or her client, an acountant make some creative acounting and buy a condo with some "reimbursment", a Marketing manager exposes the company to serious bad mojo because he can't keep his pants on, etc .... they understand what happen.
But realising that they should pay the guy that has root password on the ERP server the same as the CEO since he has actually more power that the CEO, this would be scary...
So nobody should do any kind of "bad stuff", and revenge no matter how justified it is, is rarely worth the time needed to execute it.
(that is why we do have courts of justice, in theory at least they help "outsourcing" revenge, and make it more "educative", not that the actual implementation always work...)
And what is ERP?
As an IT professional myself, I can't ever see a situation that would warrant something like this.
I can see a great many situations. But all of them revolve around people being less than professional. Just because you act professionally doesn't mean your boss will, or your coworkers, or another department that feels threatened by a project of yours, etc. You may not be petty, but a lot of people are.
And that pettiness, in the right set of circumstances, can lead to an otherwise respectable person doing something like this. Human beings have a strong need for vengance. Our judicial system is based on it, though it's not politically fashionable (or wise) to say so publicly. When someone is "getting away" with something, the aggrieved party will sometimes resort to vigilantism.
While this could be a one-off situation, and while I never would approve of such behavior, it is more likely that corporate culture played a significant role in the disaster. Without addressing those problems, starting with senior management, this company will find themselves going through this again.
#fuckbeta #iamslashdot #dicemustdie
they took his stapler...
>> Isn't there some utility that could be added to all systems and unify password management?
I can tell you've never worked in IT by the fact you asked that question.
What does erotic role playing have to do with IT systems?
To all you virgins: Thanks for nothing.
Derp.
I actually bothered to read the article, and the ex-employee in question RESIGNED by giving two weeks notice after being repeatedly passed over for promotion.
Maybe in this day in age, we are now suposed to refer to anyone leaving a company as being terminated, but I for one think there is a profound difference between terminating an employee vs their departure on their own accord.
With that said -- seeing that this guy was butt-hurt enough to leave and commit these acts against his employer shows that he wasn't working with a full-deck.
So I don't think the employer "had it coming" or provoked it -- since they seemed happy enough to employ him, but just didn't see him fit for a higher level position.
Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. (...)allegedly accessed the ERP system after he was terminated and had a little 'fun.
You go, RTFA and this is how it starts..
But after Mr. Meneses was passed over for promotions, he was upset enough to announce his resignation, giving two weeks’ notice. Before his final day in January 2012, colleagues caught him copying files from his computer to a flash drive, the authorities said. They cut off his access to company servers.
So, first of all, he was not terminated, he was mad and left the company. He was still on his two weeks' notice, so, in theory, had legetimate reasons to access the servers. When the company saw an srange behavior, they cut his access. So, looks like a case of a pissed up asshole who decided to go out with a bang and got busted for it.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
http://en.wikipedia.org/wiki/ERP_software
Wyatt's last name?
Enterprise Resource Planning - software that's supposed to be the backbone of a company that handles all business processes, invoices, payroll, inventory, operation scheduling, finance etc, but is usually just a pain in the ass that employees have to endure.
http://en.wikipedia.org/wiki/Enterprise_resource_planning
At a small company I worked for years ago there was a tendency to fire accountants (who simply didn't agree with the CFO). Turns out the CFO was embezzling funds and a number of folks just didn't want to go along with the program. So one day the CFO fired this one accountant and it was pretty bitter.
As the IT director I had advised the CFO many months earlier that IT needs to oversee all the software and accounts in the company as it is a security matter. He agreed to all but the accounting software and its controls (he didn't want anybody seeing his criminal ways).
So one day after firing the accountant, someone writes a $1,000,000 dollar check to a customer and it gets processed. Suspicious turns to the accountant having access, but there is no proof. The CEO and CFO both stop by my cubicle complaining how could this happen?? I simply told them you advised me several months back not to put the accounting software or user accounts under any IT control, even after I had warned you of the security dangers. We can't firewall a separate system that IT is not in charge of or have credentials to... Frustrated they walked away, annoyed like they couldn't blame someone for their stupidity.
I kind of felt sympathy for that accountant, although he probably should of contacted the authorities. I had not way of knowing, except rumors you hear. Pretty ballsy, but that's what happens when suits have their ego and lack of ethics... Eventually there was an investigation on the books and things flew wide open. I left the company prior to it hitting the fan.
Why do people ever think that it's a good idea to leave a trail of destruction behind them?
It doesn't make you clever, you're just abusing access. Any idiot screw things up.
There's a huge potential downside for you: if you get caught, you face prosecution, or at the very least, a negative recommendation.
And obviously there is no upside for you. It's not like your tantrum is going to get you that job/promotion/whatever. You want them to miss you because they used to have such great quality work products from you, and now they don't have them anymore.
Awesome work, not tantrums, is what will keep you in a happy professional career.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Who cares about the HR critters. When you don't use your last boss as a reference, it's going to raise questions. And when your next prospective employer calls your old employer to ask those questions, the answers are very soon going to point you toward a growing familiarity with frozen burgers.
Proper procedures for any IT or security dismissal (or really, for anyone with access to sensitive/proprietary information) is escorting them from the building, disabling their access while they are being told that they're terminated. Any external access they have is revoked by the time the get to the front door; any shared accounts they know (like root, su or domain admin) have their external access suspended until the passwords can be changed. Collect their IDs, corporate cell phone, USB devices, etc. before they leave the premises; they can make an appointment to come back and get them after they've been inspected for any proprietary information. Don't let them go back to their desks and get anything - either send someone to get it for them, or tell them they can get it when they return for the other stuff.
This needs to be part of the process for ANY termination, even if the employee has been a model of behavior and is taking their change of status phenomenally well. People in stressful situations can behave erratically and unpredictably, and the organization must protect themselves against an unexpected reprisal. I've seen people throw away extremely generous separation packages in favor of revenge via venting on Facebook or sending abusive/threatening emails to the CEO. And I wondered what the hell was going through their heads, right up until I got downsized myself in the middle of the recession. I chose to accept, regroup and move on, but I now have a much better understanding of the stress something like that brings to bear.
... Executives? Managers?
I got a chuckle out of one line: "Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Unfortunately the reputation of the denizen of the Executive offices is exceptionally bad.
Trust is something that must be inspired, not commanded, and those near the higher end of the food-chain seldom inspire trust, especially given the whims that impact our ability to raise a family (much less get any semblance of work/life balance).
Ran an IT department, alone, that previously was staffed by, uhm, six, before the company halved in size in a post-dotcom implosion. Burned out. The ceerow just sat and watched. I still consider them debtors, but that's besides the point.
I was not a happy frog, having been well and truly cooked. Thought about it for a long time, then decided not to go through with any and all plans to harm the company. Tried to tell the nitwit CFO just how close I'd been to causing some spectacular delayed digital fireworks during my "exit interview". He didn't get it.
And closing down my accounts? Hah. I let myself out, closed my own accounts, all but one that I couldn't close entirely. Without leaving back doors or anything. Really.
Moral of the story? Eh, I dunno. They got off lucky, even though I didn't. If there's a moral it's the same with every parting under storm cloud cover:
It's usually a better idea to not massively piss off the people that hold the keys to the corporate crown jewels. You don't want those people to be mentally unstable, and so you don't want to drive them stark raving mad either. That doesn't justify vengeful actions, but an apple a day keeps the doctor away, no?
If IT is important to your company, you have to carefully select and take good care of your IT people, too.
The most hellish software you could ever hope to not attempt to program.
You have never worked for Computer Associates, obviously.
A pox on web designers who feel that window.innerWidth == screen.availWidth
Uh, no. It's not illegal to say anything negative. There's this thing called the First Amendment. It does, however, open you up to civil lawsuits for slander and 98% of employers have decided they just don't want to take the risk of an expensive lawsuit.
Step out the front door like a ghost into the fog . . .
There are two things that really bug me about this story and stories like this:
One of the things I would really like to see before I retire is the ability of IT / systems engineering to grow up a little bit and attain the same level of recognition that professional engineers enjoy. I'm old and curmudgeon-y at 38, but one of the things I've consistently seen throughout my career is examples of stuff like this. When standards are put in place (see ITIL as an example,) they are implemented so poorly or are so rigid that they remove any critical thinking from a process. I know many support people in ITIL shops who have quit out of the sheer frustration of paperwork and being limited to pushing pre-defined buttons at pre-defined times. This kills the pipeline for new engineering talent, and we're increasingly at the mercy of high-paid vendors and vendor consultants. In my opinion, this needs to change.
The problem is, how do we do it? A basic engineering education has math, physics, mechanics, thermodynamics, etc, to fall back on. The fundamentals in these subjects change very rarely. Let's say for the moment that "IT" represents the computer systems engineering field, even though I know the term encompasses tons of technician roles. When you dig down into the fundamentals of IT, you're dealing with the interoperability of computer systems, networks, storage, and so on. The concepts are all the same, but the layers on top keep getting changed every few months as new technology comes out. In many cases, old technology gets trotted out again with new underpinnings attached -- see the rise of virtualization and the parallels to the 70's timeshare concept. Sometimes it's change for the sake of change (and a cut of the App Store pie) -- see Windows 8. The field is definitely not static, but neither is engineering. New methods and materials are tried all the time, and if one works better it displaces the old one.
One thing an engineering curriculum that leads to the possibility of PE licensure has is an ethics component. Sure, some people may consider it a joke, and think following ethical guidelines is for suckers when executives get away with things all the time. But, it's there. IT as it is now doesn't really have something like this. How many sysadmins do you know that behave like a slightly less criminal version of the BOFH? I've seen a lot of this behavior, and there's very little done to combat it. Because I'm an ethical idiot, I point out things like the loopholes this guy probably exploited to get his revenge. I've often walked into situations where I've been accidentally granted way too much authority. I don't know about you, but my first reaction isn't to exploit it -- I've politely explained, "Look, I know I can do xyz with my privileges, but I really shouldn't be able to. Please take this away from me." Why? Because I really like the work I do, and I want to keep doing it. The guy in this article is going to be lucky to have any sort of job, let alone work in the IT field again, even if he's found not guilty.
I know that a lot of the problems with education rest with the fact that we trust vendors and their certifications to fill the gap in fundamental knowledge. I absolutely hate vendor "whitepapers" that promise a "deep dive" on a technical subject and are thinly veiled advertisements for a product. Having only that as an educational resource leads to people who have a very vendor-centric view of the world. My natural reaction when faced with an unfamiliar system is to dig in to the details and figure out what's going on under the hood. Vendors don't want you to do that, and employers are happy because the vendor they chose just happens to certify "professionals" who "know" the product in question.
Computer syste
Huh? Move across the country? He should be convicted for hacking a system he no longer worked at, and that conviction will follow him all across the country. There's no escaping the conviction on a background check. All employers will be able to find it, and he didn't do anything 'leet' enough to make the security companies interested in him even though they sometimes employee ex-cons.
His IT career is over. His next likely occupation is fry-cook.
They always have insider-knowledge. They always can do serious harm.
Treat them with respect, justify the firing rationally, help them find a new job, give them a good recommendation, etc. And once you do that, your risk of them sabotaging you drops tremendously. If you treat them like trash, they will not retain any shred of loyalty to you. Rather obvious, I would think.
Interestingly, in many civilized countries, you routinely stay on and work after having gotten a termination notice or resigning until the termination date. This "remove all access immediately" is an US thing, bit not thought to be necessary in a lot of places. My guess is that it comes down to the way employees are viewed and treated.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Sorry, but nothing, and I mean nothing, compares with the the bad reputation the executive suite has with everyone one. Psychotic bastards, the lot. Have you forgotten the whole banking fiasco that caused a massive economic meltdown? So, I think if anyone has a reputation to fix, it is upper management.
Uh, yeah, a place known as "prison". What the summary didn't include is that he was charged and could face up to 10 years and a $250k fine.
IT needs apprenticeships and trades like schooling systems.
There are plenty of operations in the business world where people can fuck over the company they're working for. Sales people sometimes take customers from place to place, mechanics may do stuff that only "they can repair", HR folks and bookkeepers could make or document minor discrepancies and either use blackmail to keep a job or report everything to a state inspection agency.
It's the same problem if you don't deactivate access cards or change keys - you can still come on the property without raising attention and throw a wrench somewhere. However most people still have the idea that computers are "magic" and either does everything automatically or doesn't have an impact on their business. They basically treat IT people as the guy that unclogs the toilet and cleans the offices, once they're not around or they intentionally do something wrong, then it gets noticed but otherwise they're "replaceable" and an expense that doesn't generate any ROI.
It only gets to the news because many people (journalists, bloggers etc) treat their own computers as "magic" and thus everything that happens remotely related to a computer is the witches fault so burn the witch!
Custom electronics and digital signage for your business: www.evcircuits.com
no wonder he got sacked - must have real mental problems
You have a very rude surprise ahead of you.
No, he didn't get sacked. He quit because he was passed over for promotions.
This guy is why I can't get the proper access I need to do my job as a developer.
Then I would say his actions after he quit may provide a good clue why he was passed over for promotions.
How can the applicant knows that a negative reference has been done?
Little known "facts":
ERP is the Pig Latin root of the phrase Herp-Derp.
ERP is an onomatopoetic synonym for "burp".
ERP is the surname for a gunfighter at the OK Corral, first name Wyatt. :-)
BUT CS is not IT it more on the programmer side of stuff and learning LDAP and Netware in college is nice (it's sounds like a tech school) But some degrees are loaded with theory that helps you maybe if you are coding at a low level but in the long run you may be better off learning stuff that is more at the trades / tech school level if you want to DO NON programming IT work and you also need to learn some stuff hands on.
also going up the degree tree becomes more and more about the academic site of stuff with high costs and classes that can be far from real IT work. (look at what happened at Dawson College)
Also there are some stuff that is better off having people who mainly work on that specific task (or set of tasks). Like say the networking patriots of a big muilt site setup.
Also the QA person should not also be the same person who writes the code.
Hack into their computer. /jk
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Exceptional point my AC friend. I'm sure he was stupid enough to think he was doing something "leet" though. I would say to be "leet" enough to get a security company to look at you, you should probably hack something other than your former employer that you already had high level access too. I would have loved to screw over a couple places, but I had the foresight to know that hacking their shitty ERP system was gonna get me nowhere.
Hell even getting a job as a fry cook might be tough nowadays. Too many non cons needing jobs.
Would it kill you to at least use the full phrase once in the summary so we know what it's about?
--
Stay tuned for some shock and awe coming right up after this messages!
Ask a friend to pretend to be a prospective employer, let them ask the questions by email (so you have it black on white)
If they reply in a negative fashion, then you sue the bastards.
This is the sig that says NI (again)
Never thought that... Mod parent up :)!
If they reply in a negative fashion, then you sue the bastards.
Depends - if the negative reply is the truth (without embellishment), you can't sue them for a damned thing in most states.
Mind you, this includes things like "we let him go because of successive negative performance reviews" and such.
Employers get the same protections from libel/slander suits that individuals do. If they have a paper trail and witnesses, they can and will prevail. By the way, there's another hazard of getting all lawyer-happy: The lawsuit makes that negative stuff public record, especially if they have a paper trail.
Overall though, most employers stick to the 'name|rank|serial-number' routine for negative terminations because they don't want all the bother and headache - it's cheaper and easier to let the guy become some other company's problem.
Quo usque tandem abutere, Nimbus, patientia nostra?
The company I work for has a security policy in place, regular employees & contractors who leave voluntarily are processed through an automated program all accounts are shut down within 48 hours. Immediate terminations & IT employees who leave voluntarily are manually terminated within 4 hours, but are expected to be shut down in less than 1 hour. Our team verifies the auto terms since sometimes the process forgets to work, and our manager has questioned why an immediate term or IT term has gone over 1 hour (there are a few gaps in our coverage even though we are considered a 24 hour team) I'm guessing this company had no such policy...
"If stupid things work...then they are not stupid."
About 12 years ago I was let go from a horrible management position at a horrible company working for horrible people (this is all my justification) under very shady circumstances. Even though I was being let go for "cause", I was giving a severance and was told they would not contest if I filed for unemployment. The day I walked out the door I was beyond angry and more than anything wanted reasons. Knowing that the email server service accounts where running under the domain admin accounts, and that the domain admin had VPN access (terrible security there, but that was not my responsibility) I logged in from home and open one of the C?O email accounts and quickly found the reason for my being let go. I won't go into details about the circumstances, other than they were unsubstantiated lies from a chronic pothead. I copied and pasted this email into an "All IT Staff" email with a short warning to watch your backs, and sent this from the the domain admin account. Do any of the circumstances of my being let got justify my actions? No. But, they did have it coming.
Maybe you should try reading the comments to this article to see that most people on Slashdot are just like the asshat in the article.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Only $90K? Basically next to no harm. Or the company was already on thin ice.
I've searched for the link but can't seem to find it, but I saw a "confession bear" meme at work the other day from reddit (boo reddit, whatever) about some guy getting let go and saying that "his employer should have changed the passwords" because he made several changes, including putting the calendar a month out.
Coincidence? Maybe. Probably not.
He was not doing it to be "leet". The attitude he potrayed seemed to just be that it would be worth some internet credit.
This statement is forty-five characters long.
I think most of us in the IT industry have encountered very challenging environments to work in (to put it diplomatically) and I myself have had my fair share without a doubt. However, it is my humble opinion that it is *never* acceptable to retaliate, take revenge, or damage the property of others, whether they are individuals or corporate entities, no matter what justifications there may well be in support of such actions. It is simply unacceptable behavior period. I believe that there is still such things as personal work ethic and pride that should govern our decisions, actions, and words at work and sadly I feel that these attributes seem to be a rarity in today's work environment. Too many so called "professionals" insist on performing the absolute minimum to just barely meet their employment contract requirements so that they can draw a pay check. Too many of these "aggressionals" seem to take the position that the world owes them something; they seem to feel entitled to the "power" and the respect when in reality their own conduct rarely, if ever, shows the respect that they so crave to those around them. This "if I can't win I will make sure you won't either" approach is just so short sighted, unproductive, and destructive to all parties involved. I am very vocal about the common shortcomings and inadequacies of management in today's work environment also, so I am by no means biased to employers' points of view, but creating a stable, respectful, and productive working environment has to come from both sides and if the employee is not investing a willingness to create real value within that relationship then it does not matter that the employer is not either because it is already a lost cause - it takes two to tango, and the willingness to do so might as well start with you the employee. If the situation cannot be amicably resolved through respectful communication and reason, then it is time to respectfully move on; not because you want a favorable reference for your next job, but because you are a professional and hold your conduct to a higher, personal standard than the rest of the stampeding masses out there. So I can only say to all the so called "professionals" out there: prove your professionalism in deed and not just in word, the embroidered cert badges on your bags, or the credentials at the end of your sig lines; show your value as an employee by how you deal with the tough stuff, and invest into work relationships by creating value. Simply demanding it from the ether and then throwing a tantrum, damaging property, stealing data, or whatever it is that you think you can do to "stick it to the man", if you don't get what you want says more about who you are as an individual than what it says about your employer's shortcomings and inadequacies, however real they may be.