Slashdot Mirror
Sysadmin Gets Two Years In Prison For Sabotaging ISP (bleepingcomputer.com)
After being let go over a series of "personal issues" with his employer, things got worse for 26-year-old network administrator Dariusz J. Prugar, who will now have to spend two years in prison for hacking the ISP where he'd worked.
An anonymous reader writes: Prugar had used his old credentials to log into the ISP's network and "take back" some of the scripts and software he wrote... "Seeking to hide his tracks, Prugar used an automated script that deleted various logs," reports Bleeping Computer. "As a side effect of removing some of these files, the ISP's systems crashed, affecting over 500 businesses and over 5,000 residential customers."
When the former ISP couldn't fix the issue, they asked Prugar to help. "During negotiations, instead of requesting money as payment, Prugar insisted that he'd be paid using the rights to the software and scripts he wrote while at the company, software which was now malfunctioning, a week after he left." This tipped off the company, who detected foul play, contacted the FBI and rebuilt its entire network.
Six years later, Prugar was found guilty after a one-week jury trial, and was ordered by the judge to pay $26,000 in restitution to the ISP (which went out of business in October of 2015). Prugar's two-year prison sentence begins December 27.
When the former ISP couldn't fix the issue, they asked Prugar to help. "During negotiations, instead of requesting money as payment, Prugar insisted that he'd be paid using the rights to the software and scripts he wrote while at the company, software which was now malfunctioning, a week after he left." This tipped off the company, who detected foul play, contacted the FBI and rebuilt its entire network.
Six years later, Prugar was found guilty after a one-week jury trial, and was ordered by the judge to pay $26,000 in restitution to the ISP (which went out of business in October of 2015). Prugar's two-year prison sentence begins December 27.
... simply telling them he wasn't interested in helping them with the problem. If you're going to do something like this, you have to learn to balance ego and revenge.
And keep a copy of your stuff on hand before you get fired.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
You gotta hand it to the guy for negotiating for the rights to the software. He kinda was *TRYING* to do the right thing by making sure he had the proper rights to the software (presumably before he sold it himself). A more unscrupulous man might just have stolen the software and used it to start his own business without any notification at all.
I think his intent was to gain ownership of his scripts in the hops he could hide is tracks or at least obscure his sabotage.
The world's burning. Moped Jesus spotted on I50. Details at 11.
"Judge Rambo ordered Prugar to pay $26,000 in restitution."
I guess its better than getting sentenced by Judge Dredd.
Which I don't get.
For one it doesn't sound like the company would know any better.
He could have hit this company up for a couple of grand owe day, did whatever he wanted with his scripts and nobody would have been the wiser.
As making a living out of being all things 'admin' (sys/network/engineering, ect.), he totally deserves this. This guy is total amateur-hour and quite simply deserves what he got. If it was really about your scripts, then they were probably garbage anyway. Any admin with have a brain keeps copies of their stuff; I actually use version control systems right long with software developers and engineers, so an even bigger reason to manage your domain better.
I'm sure he had a fair bit of perceived egotism and elitism in his attitude and work ethic, which made the situation what it was and resulted into today for him.
Even that, if he was able to log on to absolutely anything after his contract was terminated, then shame on the ISP, too. That's probably why they don't exist anymore. In any fairy constructed IT shop of sys-admins, regardless of how the rest of his co-workers felt about the situation of all of it, his access to everything would have been gone the second he was being walked out the door by security, HR, ect.
I agree it's not hacking, but its also not legit. No longer an employee, he had no authorization to access the ISP's internal network even if he had the ability to do so. The CFAA is pretty clear on that.
Hacking is just a popular term with no legal meaning. The actual laws would have been against unauthorized access and causing damage. And yes, the access was clearly unauthorized regardless of the method used.
Uh. No. legit access stops as soon as he is terminated. Still having an old house key to a place that you used to live does not entitle you to go into that house uninvited at your own discretion
File under 'M' for 'Manic ranting'
It sounds like most of the punishment was based on the (accidental) disruption to the ISP, rather than the actual hacking and theft of code.
This is a bit like sending someone to prison for arson, because they knocked over a gas space heater while robbing a store.
... simply telling them he wasn't interested in helping them with the problem. If you're going to do something like this, you have to learn to balance ego and revenge.
And keep a copy of your stuff on hand before you get fired.
He wasn't charged with making a copy of the things he had. He was charged with breaking the system.
It would depend on how well the prison is ran.
Often the jails are just filled with drug offenders. Not the harden criminals. For a nerd it would be like being at high school again.
However many IT Guys are just as big and tough as any other person who goes into prison. This is 2016 not the 1980's Revenge of the Nerds movies.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
... simply telling them he wasn't interested in helping them with the problem. If you're going to do something like this, you have to learn to balance ego and revenge.
And keep a copy of your stuff on hand before you get fired.
He wasn't charged with making a copy of the things he had. He was charged with breaking the system.
Yes. However the article said he deleted the files to cover his tracks while he was trying to get a copy of his code. If he had kept a copy, he wouldn't have had to log in then try to cover his tracks.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
You can be charged with breaking and entering a property even if the door is unlocked so this is no different in that he unlawfully accessed a system that he no longer had a right to access. It doesn't matter if he or an ex has a valid key or not if they are no longer welcome on the property. In this case, termination of employment makes that pretty damned clear. It doesn't matter if the ISP was incredibly stupid and negligent in their own actions by not revoking the former employee's access credentials.
If you want to argue whether or not this is "hacking" or not, it's probably not what a computer literate person would consider hacking, but it probably fits in the overly general and vague use of the word by the media and non-technical individuals. The former are going to agree with you that it isn't (though probably not for the reasons you've used) and the latter don't care so the argument is rather pointless.
The article names it as Pa Online.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
"However many IT Guys are just as big and tough as any other person who goes into prison. This is 2016 not the 1980's Revenge of the Nerds movies"
Quite true. More than a few of the sysadmins I know are outdoorsy types in good shape and a couple are really big fella. The one I know who's most like Prugar is 6-2, 250 lbs. He may not be a streetfighter but he's far from the 1st person you'd think of trying to push around - although you're welcome to try.
Pain is merely failure leaving the body
And keep a copy of your stuff on hand before you get fired.
If you were doing it at work on company systems it's probably not "your stuff" anyway, it's probably small utilities he used to make his job easier. If you want to do something for yourself do it on your own time on your own machine, don't use any company resources and try not to do anything that would make them question your loyalty to your day job. Being a consultant or contractor is fine because everyone knows that. Being an employee with a secret double agenda is not.
Live today, because you never know what tomorrow brings
It's like when you give your SO a key to your place, then forget to change the locks after you both break up.
That's still a B&E, bro.
It can be assumed that if the username/password works access is authorized
Authorized by the computer system, yes. But not authorized by the employer.
If it weren't for deadlines, nothing would be late.
On one hand, I cheer Prugar because I have been fired from jobs and I was told that I am "not a team player." Never mind that I had one of the highest issue solve rights and work completion rates of my team and department. Yes, I am socially awkward and have a disability but, when the day is said and done, isn't a job about productivity? Firing someone because you feel threatened by them is evil. On the other hand, I think that two wrongs don't make a right. I believe he would've been better off asking for his job back. It has become too easy to fire people based on a whim so this is why I like to see corporations take a big hit occasionally. They get too big for their britches and need a little bit of that hubris deflated.
And climb to the top of a ntpd tower with a rifle?
Doesn't quite have the same ring to it.
So pretty much in line with most stories about "hacking". Accessing a system that has a blank password is considered hacking to the media.
Time makes more converts than reason
How did that work out for him? Not so good.
Time makes more converts than reason
for anyone in a similar position.
Make sure you build in _delayed_ time bombs, and _wait_ a while before wrecking your former employer. And if they ever ask you to help, tell them to shove it.
Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
Your assumption is incorrect.
You do not have authorised access after you are fired, regardless of whether you can still get into any systems, physical or otherwise.
kick someone's ass the first day, or become someone's bitch. Then everything will be all right
This kind of thinking is what got him in trouble. It's not your stuff. It's work for hire, and they own the copyright. If your company were to discover you took software with you (written on their time), and they actually cared, they could have you arrested for theft.
I agree.
If you think you have the ego of Jupiter you may put down some key stuff on a VeraCrypt partition/drive requiring a password or key file to unlock. Not everything, just some small pesky parts that's an annoyance if it's not in place. Like scripts for automatically mailing key users when stuff goes down. When it's no longer running they have to check everything manually. Such small details that can bug the heck out of people without stalling the operation.
The point of an effective sysadmin is to keep stuff running without people noticing that stuff has broken down. If your sysadmin looks idle and relaxed then all is good. If he looks stressed out you have a real problem.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
He could have placed them on a password protected VeraCrypt drive requiring a password after a reboot.
"No, I don't remember any password" is the answer when asked.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I have been told a weedy little guy with a shiv trumps a big guy that believes in fair play every time. It's not a holiday.
And keep a copy of your stuff on hand before you get fired.
If you were doing it at work on company systems it's probably not "your stuff" anyway, it's probably small utilities he used to make his job easier. If you want to do something for yourself do it on your own time on your own machine, don't use any company resources and try not to do anything that would make them question your loyalty to your day job. Being a consultant or contractor is fine because everyone knows that. Being an employee with a secret double agenda is not.
I'm aware of the ownership matter. But if you're planning to keep it anyway, it's better to not have to hack your old employer to get it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I'm an inch taller and a couple of pounds lighter. People call me a rake. I can't see him being overweight.
Why didn't they disable his sign in credentials when they let him go? That's as amateurish as his hack!
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I'm imagining a situation where this kid was the rock-star of the organization, which was pretty weak in the IT side. He wrote the systems that controlled everything, and he probably setup all the servers, etc. Since he was pretty young, he didn't use proper AAA systems, and probably created logins for himself on all the systems. He probably knew all the back-doors and other ways to get into the systems since he built it.
When he got fired, his employer probably removed his key-card access (if they used one), and most likely his email. They didn't /know/ about all the shadow systems and logins that exist because he didn't document them. And that is where the problem began...
Real pros design their code with subtle flaws that will make it fail a few weeks after they get fired, and then obfuscate it in a way that looks like they are just a plausibly crap programmer. Throw in a few random frameworks for misdirection and convert the odd critical function to COBOL, and you have guaranteed employment for life.
At least, that's what I assume pros do, based on the code I have to maintain.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
'Prugar worked as a systems administrator for Pa Online until June 2010, when after a series of "personal issues" with his employer, he was let go.'
What was the nature of these "personal issues" Prugar had with Pa Online?
Well, define overweight please. I myself weigh 188lbs at 5'10 and have approximately 17% body fat. That is well within military standards, in case you were wondering.
It is not yours. Unless you bought it, not even the red stapler is yours. And if the scripts are yours, you will have proof that they are yours. If you don't they are not yours.
So assume they are not yours, unless you have legal proof that they are.
Don't fight for your country, if your country does not fight for you.
Remind me to never hire you.
No kidding. At least the OP had the sense of posting that as AC. Sadly the software industry is full of these wackos.
Arrested for theft? Not really.... they could sue for copyright infringement though.
There are people who do violent crimes or crimes that physically hurt people and get less than 2 years of prison.
From the sounds of this story it *was* amateur hour, and he went to far and made a mistake. Like you I keep copies of my scripts etc, but I have no illusions about ownership, and franking they are welcome to them if the next guy can even figure it out. However I'd take my stuff to help me on my next gig, though I not go as so far as to try and delete them from company systems. That said the mistakes he made were that he I guess didn't feel all that confident really in his decision as why delete user logs if you think you are in the right, doing it in such a way to take down the ISP must have been a colossal screw up and he probably didn't know what he was doing. Then trying to sell his "IP" back to his company, well that was also dumb. After being laid off, he should have simply said no think you I have another job now and do not have the time and I don't work for you any more, good luck with the recovery. At any rate due to his bungling the ISP did have losses, in terms of outages to customers, so he does deserve some punishment. From the sounds of it they were not down all that long anyway. Though I'm sure he must feel something about the company going out of business in the next couple years, probably like serves you right. Additionally, it does sound pretty suspicious that an ISP would fire their sysadmin without having hired a new one? Then being really surprised when things fall apart when they don't have one, or if they hired one that is unable to run/fix things... Anyway he was convicted, but there are parts of this story that make me think perhaps we're only reading about one side of it.
No it wasn't, but AC empowers people to let their inner dick shine through.
OK, the ISP in question should have known that this guy was a sysadmin and revoked all of his credentials as soon as he was terminated. But, even if I have a key to my old house, I can't just walk in, turn on the TV and make myself a sandwich when someone else owns it (or is renting it from me.) That part of the story is why the jail time is warranted. Sysadmins should be professionals...yes, I know very few businesses treat them as such, but acting professionally is the first step to being recognized as one. I've been doing this for quite a while, and have experienced capricious firings, offshorings and layoffs. The way to deal with it is to go have a couple beers then find another job...not use your old (admittedly still valid) credentials to get back into your employers' systems and get some petty revenge. This stuff gets even more interesting when you're talking public cloud -- in that case if you have the right access you can just fire off a script to erase every service and VM your company has given you control over, along with backups, all over the Internet.
Whenever I leave a job, I've been very careful to show that I've removed all my access to anything...it's a good way to say "everything else from this point on is the new guy's fault." I've been at my current employer for a long time, so I do the same whenever I change projects and don't need access to the things I was working on last. However, given the brief description of this guy, he sounds like he indeed has personality issues. I've worked with people who take the slightest criticism as personal insult and make absolutely no attempts to work with others, but they're kept on because they are in control of a key process or have some other nugget of knowledge they haven't been forced to share. I know it's IT and we folks who are good at it tend to be a little "different" -- that goes double for me. But I'm not saying we have to be buddy buddy with the coke-snorting strip club-going salespeople...just decent humans to work with. Do just that, and chances are you won't be fired for not being "a team player" if you're any good.
I think a real pro doesn't build time bombs in his code. Not only is this idiot going to jail, but good luck finding employment in that field again. He should spend the rest of his sentence practicing "And do you want fries with that?"
The world's burning. Moped Jesus spotted on I50. Details at 11.
It can be assumed that if the username/password works access is authorized
Can I similarly assume that if your door's accidentally left unlocked I can walk in and leave with your computer?
Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
Prison isn't like the movies, especially the medium to minimum security prisons this guy will likely end up in. I've seen some of the nerdiest guys come in to the joint and actually do pretty well. May as well have been the first time in their lives they actually were somewhat accepted in to a group. Sure, if you're the autistic type of nerd that wants to fight and argue over silly shit someone will probably kick your ass, otherwise if you stay out of the bullshit like gangs, drugs, and debt you'll probably do just fine. Most prison rape and shit like that is done for revenge, it's an act of violence and a snow of animalistic dominance. Being a small weak man doesn't make you a target for rape unless they think you're a chomo or something. For sexual pleasure there are more than enough punks around that will gladly suck and fuck. The kind of people that are just relentless predators like that are usually segregated pretty quick, it's doubtful a man doing 2 years for computer crimes would ever even meet someone like that. As long as he keeps his head down his biggest risk will most likely be people trying to borrow ramen noodles and not paying him back.
A long rant for someone who probably was just trying to be funny, but as someone who fucked up royally in his younger years and had to do time it's pretty annpying. I'm pretty honest about my past, and invariably the first question asked by most people after finding out I did time was if I was ever raped. The answer is no. I've seen some violence, I've seen some sex, and even heard about a few rapes, but prison is a vastly different world from what it is portrayed, even at maximum security institutions. I even got the fuck beaten out of me and served three months in the hole on 23 hour lockdown, but that only happened because I thought I was tough and started shjt. Never had the slightest problem until I made my own.
Almost everything I do on this job is highly specialized software that would be of no use to me on my own projects. They pay me to do this stuff, and they own it.
If I do have anything I want to keep, I make sure I've got it while I'm still employed.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I think it's a lot more serious than that if you actually take the code.
Why couldn't he be muscular? You are assuming that weight is fat, which is the problem with any metric regard just height and weight. Per BMI, Dwayne Johnson is obese. Would you like to tell him that?
You misunderstand. Yes, he can be muscular, but the problem is with his 5'7" and a BMI of 25.1, his average fellow inmate would likely be bigger and stronger.
Just to give you a frame of reference, Tom Cruise is the EXACT same height as the AC poster of 5'7" only Cruise weighs 201lbs, giving him a BMI of 31.5. If you look at Cruise in his movies, he's not really that big of a guy. Now consider that Arnold Schwarzenegger also had a BMI of 31.5 when he was in the first Terminator movie. Given that he is 6'2", that BMI makes a massive difference in terms of appearance, even though Arnold was the same BMI as today's Tom Cruise.
But again, AC poster is 5'7" with a BMI of 25.1, so think about that for a minute. That should be enough to tell you just how small the AC poster actually is, even if he's all muscle.
Also if you follow the WHO guidelines, Cruise and Arnold are both obese by definition, hence the problem with BMI.
Where is your source for Tom Cruise being 201lbs? There is no way he weighs that much. Conor McGregor is 5'9" and 155. There is no way Cruise is packing another 45lbs on a shorter frame. AC poster being 2" shorter, yet 5lbs heavier, is probably not as small as you think.