Slashdot Mirror
Ex-Employee Busted For Tampering With ERP System
ErichTheRed writes "Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. According to the NYTimes article, a former employee of this company allegedly accessed the ERP system after he was terminated and had a little 'fun.' 'Employees at Spellman began reporting that they were unable to process routine transactions and were receiving error messages. An applicant for his old position received an e-mail from an anonymous address, warning him, “Don’t accept any position.” And the company’s business calendar was changed by a month, throwing production and finance operations into disorder.' As an IT professional myself, I can't ever see a situation that would warrant something like this. Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Proves that security is a process, not a product.
He plead not guilty, and he's yet to be convicted, but I can definitely envision a scenario whereby shutting his account off could cause catastrophic failure of many systems. This typically happens when someone does not follow best practices with service accounts and such and is not an uncommon situation.
That being said, he could have been really fucking pissed at them and decided to fuck with shit. Some management out there can be real fuckheads to their employees.
Derp is right... no better way to destroy any hope of a career, than to do something monumentally stupid like this.
I've left positions that have been, to put it charitably, crap. Once it involved hard feelings against an asshat that destroyed the department.
OTOH, the golden rule is to never touch the machinery. EEOC and labor laws be damned, HR critters do talk to each other; even if your stupid stunt never made the news, it will make the rounds. Rest assured this guy will have to move to the other part of the country at the very least.
Quo usque tandem abutere, Nimbus, patientia nostra?
It is entirely possible, but far from granted. There are plenty of individual tinfoil hat wearers that either don't perceive reality the way that most do or alternately don't need a reason to be a jerk. This is just one side of the story.
No. Multi User OSs are a pipe dream. Next you'll want file level access restriction. Madness.
>> Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite." The only reason the executive freak out at this is because most of then have absolutelly no idea what could happen, and how it could happen... When a sales rep leaves with his or her client, an acountant make some creative acounting and buy a condo with some "reimbursment", a Marketing manager exposes the company to serious bad mojo because he can't keep his pants on, etc .... they understand what happen.
But realising that they should pay the guy that has root password on the ERP server the same as the CEO since he has actually more power that the CEO, this would be scary...
So nobody should do any kind of "bad stuff", and revenge no matter how justified it is, is rarely worth the time needed to execute it.
(that is why we do have courts of justice, in theory at least they help "outsourcing" revenge, and make it more "educative", not that the actual implementation always work...)
they took his stapler...
I always suspect that companies in these cases deserve what happens to them
Did you see the outfit that ERP was wearing? That general ledger module was WAY above it's knee. And I think the CRM middleware was wearing a lot of perfume. Totally asking for it.
Don't disappoint your bird dog. Go to the range.
He wasn't fired. He quit in a huff over not getting a promotion that he presumably felt he deserved (and apparently even gave them 2 weeks notice).
File under 'M' for 'Manic ranting'
Some people can turn a lemon into lemonade. Some can leave the lemon alone. Others turn a lemon into a rotting, worm-infested lemon, like it seems this guy has.
What does erotic role playing have to do with IT systems?
To all you virgins: Thanks for nothing.
He did not say it was their fault, he said they might have deserved it. Are you unable to read and parse English?
Obviously the IT worker is still a jackass and responsible for the whole thing if the summary is accurate (which it rarely is, but that's irrelevant to my point)
Give me a break with your half-assed sarcastic replies with absolutely no thought put into them.
Password Management is not the same as access management. In terms of password management, yes, you can standardize all systems to authenticate and authorize from a central system (LDAP, AD, RADIUS, RSA Tokens, etc.) The issue becomes when a person leaves, turn it off and all their access goes away. The issue is for proprietary systems that use things like digital certs, or that do not play well with centralized auth systems (ie. lazy programming in my book for enterprise apps).
As for the other piece, access management, this has to do with the knowledge (and proof) that a person was given access to (and what level of permissions) as well as who approved, and who implemented the account creation/deletion. There are systems which costs millions of dollars to manage access and the subsequent audit requirements around it.
I actually bothered to read the article, and the ex-employee in question RESIGNED by giving two weeks notice after being repeatedly passed over for promotion.
Maybe in this day in age, we are now suposed to refer to anyone leaving a company as being terminated, but I for one think there is a profound difference between terminating an employee vs their departure on their own accord.
With that said -- seeing that this guy was butt-hurt enough to leave and commit these acts against his employer shows that he wasn't working with a full-deck.
So I don't think the employer "had it coming" or provoked it -- since they seemed happy enough to employ him, but just didn't see him fit for a higher level position.
Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. (...)allegedly accessed the ERP system after he was terminated and had a little 'fun.
You go, RTFA and this is how it starts..
But after Mr. Meneses was passed over for promotions, he was upset enough to announce his resignation, giving two weeks’ notice. Before his final day in January 2012, colleagues caught him copying files from his computer to a flash drive, the authorities said. They cut off his access to company servers.
So, first of all, he was not terminated, he was mad and left the company. He was still on his two weeks' notice, so, in theory, had legetimate reasons to access the servers. When the company saw an srange behavior, they cut his access. So, looks like a case of a pissed up asshole who decided to go out with a bang and got busted for it.
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
Wyatt's last name?
Enterprise Resource Planning - software that's supposed to be the backbone of a company that handles all business processes, invoices, payroll, inventory, operation scheduling, finance etc, but is usually just a pain in the ass that employees have to endure.
http://en.wikipedia.org/wiki/Enterprise_resource_planning
At a small company I worked for years ago there was a tendency to fire accountants (who simply didn't agree with the CFO). Turns out the CFO was embezzling funds and a number of folks just didn't want to go along with the program. So one day the CFO fired this one accountant and it was pretty bitter.
As the IT director I had advised the CFO many months earlier that IT needs to oversee all the software and accounts in the company as it is a security matter. He agreed to all but the accounting software and its controls (he didn't want anybody seeing his criminal ways).
So one day after firing the accountant, someone writes a $1,000,000 dollar check to a customer and it gets processed. Suspicious turns to the accountant having access, but there is no proof. The CEO and CFO both stop by my cubicle complaining how could this happen?? I simply told them you advised me several months back not to put the accounting software or user accounts under any IT control, even after I had warned you of the security dangers. We can't firewall a separate system that IT is not in charge of or have credentials to... Frustrated they walked away, annoyed like they couldn't blame someone for their stupidity.
I kind of felt sympathy for that accountant, although he probably should of contacted the authorities. I had not way of knowing, except rumors you hear. Pretty ballsy, but that's what happens when suits have their ego and lack of ethics... Eventually there was an investigation on the books and things flew wide open. I left the company prior to it hitting the fan.
Meh. Everyone has a choice. They can either take responsibility for their actions, or they can be immature and blame other people for them.
100% sure? I doubt that... unless you are saying you are the accused yourself.
Because you see, he's claiming "not guilty", so that would imply he's asserting that he didn't do it. In our society one is innocent until proven guilty, so it makes no sense for anyone other than the accused to be 100% certain of anything in that matter, let alone that he felt he had no choice.
File under 'M' for 'Manic ranting'
Why do people ever think that it's a good idea to leave a trail of destruction behind them?
It doesn't make you clever, you're just abusing access. Any idiot screw things up.
There's a huge potential downside for you: if you get caught, you face prosecution, or at the very least, a negative recommendation.
And obviously there is no upside for you. It's not like your tantrum is going to get you that job/promotion/whatever. You want them to miss you because they used to have such great quality work products from you, and now they don't have them anymore.
Awesome work, not tantrums, is what will keep you in a happy professional career.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Nothing beats hitting a printer with a baseball bat...
...unless it involves hitting a router or server with a baseball bat.
Quo usque tandem abutere, Nimbus, patientia nostra?
I think I just lack empathy for non-humans. Companies aren't people. When they suffer, I just see numbers changing on a ledger.
...and tools like Active Directory aren't just in beta testing, you know?
Nope; just that it seems like it at times. ;/
Quo usque tandem abutere, Nimbus, patientia nostra?
I don't know where to begin in response to this, so lets take this by point/paragraph.
1) An IT degree is not "worthless" because it teaches you certain technologies. You lean about specific technologies, and yes they change. However learning how a technology works (not just learning how to click a button and wow it works) is the true knowledge you are learning. I learned LDAP and Netware in college, and those technologies are fundamental to how I can look at all authorization technologies today, even though people rarely deploy true virgin implementations of those technologies today. The same can be said about modem technology. I learned how a modem worked and today, very few people still use modems. However knowing frequency multiplexing, understanding bandwidth, encoding methodologies, etc. I can know how most any telecom signal works.
2) IT degrees are not standardized. Yes, and nor should they. Universities are a bevy of politics, greed, money changing hands, etc. Curriculum are determined by committees made up from companies which are giving money to the universities to make sure they get the kinds of employees they want. Any company that wants a person can spend 30 minutes and determine if the person has the skills they want. This is called an interview.
3) IT has focused on certs. While yes, this is true, it again tells you if a person has a certain knowledge in certain areas. A company that implements certs can determine the level of knowledge required to pass them and this is no big deal either. Industry knows which are the crap certs and which are the good ones. Again, an interview can determine really quick if a person knows their stuff.
I think you are looking about this the whole way. There are IT workers, and there are IT professionals. An IT worker is an individual who only has the skills to do one specific type of task, and cannot branch out into other areas or line of work. An example of this is a desktop admin (Not all, don't flame me, just read the specifics as I state them) at a large company. If the person has only just joined, and all the know how to do is load a boot CD and ghost images, then guess what, they are an IT worker. They might expand further into creating images and doing other things on that team, but they are still an IT worker. Until they understand full system integration, app design, architecture, etc. then they know how to one specific task (or set of tasks).
A true IT professional is an individual who can work on almost any given technology, knows and has experience with most of the underlying technologies, and can quickly come up to speed with anything that is given to them. These people are rare, and people like this rarely are desired in the traditional hiring process and most the time work as consultants. Why is this? Simple, companies want IT workers. Give them a task, they do only that task. People who can see the bigger picture are not needed often, and when they are, cheaper to hire a consultant for the few weeks they are needed.
I am proud to say I am an IT professional. I have two masters degrees and several certifications after my name. I make a great living, and will be retired by the time I am 45. I can tell you that being an IT professional has not harmed me one bit. I would like to know how this has harmed me? The only way I can see it harming you to be an IT professional is if you want to do the same IT job for the rest of your life, at the same company. Not me, I want to use the knowledge, skills, and god given inquisitiveness I have to learn.
Or rolling the old server off the roof. And video taping it. Through each window the server passes by. And from the ground. In super slow-mo.
There are two types of people in the world: Those who crave closure
Uh, no. It's not illegal to say anything negative. There's this thing called the First Amendment. It does, however, open you up to civil lawsuits for slander and 98% of employers have decided they just don't want to take the risk of an expensive lawsuit.
Step out the front door like a ghost into the fog . . .
I think I just lack empathy for non-humans. Companies aren't people. When they suffer, I just see numbers changing on a ledger.
That's funny...when companies make people suffer that's all they notice too...
They give you a solid grounding in a subject and give you the skills to teach yourself about the subject.
No they don't; they're paper. As for giving you the skills to teach yourself about a subject? You could have done that from the very beginning.
Certifications are simply a way to prove to a prospective employer that you know the subject.
But they don't do that. Certifications test for rote memorization and not much else.
Filthy, filthy copyrapists!
Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Sorry, but nothing, and I mean nothing, compares with the the bad reputation the executive suite has with everyone one. Psychotic bastards, the lot. Have you forgotten the whole banking fiasco that caused a massive economic meltdown? So, I think if anyone has a reputation to fix, it is upper management.
Uh, yeah, a place known as "prison". What the summary didn't include is that he was charged and could face up to 10 years and a $250k fine.
Then I would say his actions after he quit may provide a good clue why he was passed over for promotions.
yea .... failing to secure a vehicle has nothing to do with locking it. It has to do with making sure it will not move on its own.
A person commits the offense of failure to secure a motor vehicle if the person is driving or is in charge of a motor vehicle and:
(a) The person permits the vehicle to stand unattended on a highway without first doing all of the following:
(A) Stopping the engine.
(B) Turning the front wheels to the curb or side of the highway when standing upon any grade.
(C) Locking the ignition.
(D) Removing the key from the ignition.
(E) Effectively setting the brake on the vehicle; or
(b) The person is the owner of an unattended motor vehicle parked on a highway in violation of paragraph (a) of this subsection.
If a policeman says it for not locking your doors they are trying to scare you.
and for the record I did get a ticket when I was younger for this b/c I forgot to so one of these things and the car ended up in another vehicle.
Hack into their computer. /jk
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Ask a friend to pretend to be a prospective employer, let them ask the questions by email (so you have it black on white)
If they reply in a negative fashion, then you sue the bastards.
This is the sig that says NI (again)