A former Unix system admin at Medco Health Solutions, a big US drugs prescription management firm, has admitted to planting malicious code that would have destroyed massive amounts of critical patient information. Yung-Hsun Lin pleaded guilty in US District Court in Newark, New Jersey on Wednesday over the charge of transmitting …
The computer will be just fine the software on the other hand is fucked I don't suppose they have a backup or anything like that been a longish time since I heard the term logic bomb used wonder what that is or what they think it is. Is it me or do these sentencing guidelines seem kind of out of proportion to the real crime which by all accounts didn't actually take place prescriptions have a long paper trail no data would be lost permanently no matter what this is really a story about morons catching an idiot.
You do $5k of damage and risk up to 10 years plus $250k fine? Seems a tad excessive to me. Was that thought up by the FIA? Or maybe the damage figure is missing a few noughts?
And having carried out the corrective work, why is the company not sure how much it actually cost? $70k-120k is a pretty ambiguous range for something that has already happened...
"You do $5k of damage and risk up to 10 years plus $250k fine?"
No.. Read more carefully.. "in excess of $5,000" The $5,000 is a limit for one of the american computer crimes. Below $5,000, slap on the proverbials, above $5,000, it's A Crime.
And for the other comment..
Yes, the 'bomb' didn't go 'off', but the 'crime' had already been 'committed' (sorry, got 'carried' away). By your logic, you could plan the assassination of Paris Hilton, get discovered as you're setting up your sniper rifle on the balcony opposite her hotel room, but because you'd never actually fired the bullet, get off scott free..??! And sure, they likely have an excellent backup system, but how long do you think it would take from the time the code wiped 70 servers, to them realising what had happened, calling an emergency, recovering all the data, and getting back into an operable condition? We're talking thousands & thousands of pound-dollars in immediate costs, not to mention the intangible damage to their reputation.
As a sysadmin, this type of crime sets a horrendous example to the world. It's a real crime, he should get a real punishment (although, perhaps living in New Jersey is punishment enough...
Only 10 years
200 years ago this man would have been 'Hung Drawn and Quartered' for messing with data on a Windows 1806 server.
But my wife's not dead, so I can't be guilty
"the real crime which by all accounts didn't actually take place"
Incompetence in crime is generally not a good defense(USA Amglish)/defence(UK English, Canada Canuklish). That is why they have "attempted murder" and "conspiracy to commit murder" and (say goodbye if you are ever charged with it) RICO.
If you ever meet someone famous, and they ask you to go to a hotel room with them to "take" their memoriabilia back.. watch out. If they kill everyone in the room, you are going to get charged with murder too.
How much it actually cost: The company accountants can probably show an even higher cost. They can factor in the cost of the security analysists, the hourly cost of every person who had to look at the report, the cost of the person who typed the report, the cost of the paper it was printed on, the cost of the electricity to run the computer used to write the report, the cost of the electricity to light the lightbulb that was used while writing the report, and even a fraction of the cost of the lightbulb. If the defendant wants to get smart with them, they could probably double it.
Probably an accurate estimate.
It probably took less than an hour to remove than "logic bomb" once he admitted everything, and then thousands of hours to verify that he hadn't done anything else to their computers.
Since this was probably done by company employee's probably during normal working hours then it would be hard to estimate the exact cost.
What annoys me is this isn't a big enough story for there to be a follow up when he is sentenced. Sometime a year from now the thought "I wonder what sentence the logic bomb idiot got", and I will have no way to find out.
Ethics - he'd heard of them
To follow on from Gareth's comments. The other really difficult issue is recovering the current system from the planted bomb. It is no different to finding your PC is infected with a bad virus. The effort needed to convince yourself you have a clean PC is significant, so much so that wiping the disk and a clean install is often the preferred option. But this was a deliberate infection in the client code. There is no tenable equivalent to reinstallation. Not after the programmer had been there for a number of years, with full admin access to the systems. Backups going back years are just as likely to be contaminated, and since he would have had responsibility for many local customisations to the systems, you would not be safe reinstalling these - which would probably leave the system in-operational anyway. After all - one of a sys-admin's core responsibilities is to manage the system, its security and backups, to allow recovery from just such a scenario. When the guy trusted with managing the recovery mechanisms is the guy that does the damage you have a big problem.
So there is then only a very time consuming audit of pretty much the entire system, and eventually settling on an acceptable probability you have eliminated the errant code. All you know is that you had a rogue sys-admin - not that he only planted only one bomb. Secondly, you don't know how competent the bomb code is - like many viruses, errors in the code can be more damaging than the intended actions. Any test versions lying about still? Any hidden code somewhere else that reinserts the bomb?
Sys-admins have an understated but vital duty of care and trust, and a required level of ethical behaviour that goes well beyond many other parts of an IT operation. I find it interesting how the vast majority of admins understand this and how it underpins part of the the ethos of the job. Most admins reading about this guy will feel a very uncomfortable sense of violation of their professional ethics. Hanging is too good.
An Oath for the sysads?
just like the Hypocrite..oops Hippocrates' oath for the meds.....
"200 years ago this man would have been 'Hung Drawn and Quartered' for messing with data on a Windows 1806 server."
Too bad we can't give points for posts, like on Slashdot. This one's good.
Worst. BOFH. Evah
So his code failed, it got found, AND he left enough forensic traces to point back to him? And he achieved all this while having root access?
The guy's gotta go - he's an absolutely lousy sysadmin!
He should have just put Vista on the machine. One giant logic bomb waiting to go off!
70-120 grand to fix?
These guys are on some fantastic overtime rates if it is costing that much to clean some code out of some servers. Is this the same school of damage math than thinks that Gary McKinnon did $700,000 worth of damage to the few computers he accidentally installed some VNC clone onto?
The only damage that was done was to the reputation of the firm who treated an employee so shoddily that he felt his best course of action was to do this stuff.
Im a little irritated, that most of the comments here disscuss the total cost in time and money?
I think the most importent question is, did he with his actions at any point raise any real Danger to patients by any chance? (personaly i think he could propably not be shure he didnt)
I think in general thiefs are punished harder (in relation) than violent people, while it should be the other way round.
We fetch your mail, we route your packets, we guard you while you surf. DON'T FUCK WITH US!
REALLY missing the point...
Go back and re-read the article. This guy's deliberate, maliciously afore-thought sabotage threatened Patient. Safety. Data.
Drug interactions can, and do, KILL. And this zit on society's buttocks planned to deliberately destroy data that is one of the primary defenses against adverse drug interactions. That's every bit as serious as planning to, say, take down the traffic control grid at rush hour in a busy city. Had he managed to cary this off, there was a solid, plausible, realistic threat of innocents dying.
Considering the threat, I'd say the possible penalties are proprtionate, maybe even a touch on the light side.
damn good story - yes he should "be fired because he's an incompetent administrator" so the idea that he could have harmed or killed anyone is pretty dumb.
Unless he was doing things like introducing randomish corruptions to backup tape data and placing heavily hidden copies of his virus code in there too, set to execute within x days after restore (and to continue to corrupt backup data in the meantime).
Add some encryption for future blackmail potential and you have a man set out to do real harm to health and wealth. This guy, he was just disgruntled. 10 years is therefore way too much, I hope they don't throw the book at him.. just, like, 1/3rd of the book.
Oh, and 70-120 k to clean up is a) cheap and b) a reasonable estimate unless there was a project mgr on top of the entire thing, which in emergencies there usually isn't.
Was his bomb programmed to also erase all the backup tapes in offsite storage? O the humanity!
I have no sympathy
Not long ago, we discovered a rogue table in one of our larger databases (a database containing several million records and all their attendant data).
The table contained only one value - the name of a DBA who was fired a year before.
It cost us a lot of time and money to scan every piece of logic to make sure that there was no malicious (or otherwise) code reliant on this table existing. We couldn't afford to take the chance.
Like I said, I have no sympathy.
is quite right. Irrespective of whether it worked or not, his INTENT was to sabotage the patient records of a drug company.
As safety with drug dosages relies on accurate data on allergies, doses etc, he was deliberately risking the lives of a large number of people on that database with his stupid plan.
If he'd run about firing a pistol at random in a shopping centre he would be just as likely to kill or seriously fuck up a random stranger as he was by putting a virus in the system as deaths and severe reactions are likely to have occurred in the time between the virus "going off" and the data being properly restored.
Screw the money, he was dicing with people's lives and deserves to be punished accordingly.
No one died? See Simpson's point: bungling an attempted crime does not alter the fact that you attempted the crime - in this case, indiscriminate murder.
If I ruled the World, there would be a global crime called "Undirected Murder" - deliberate murder of some random person rather than the slaying of a specific target (or targets).
Terrorist bombers, drunk drivers and dicks like that sysadmin would be facing charges of that crime (or attempting that crime).
as a general rule
As a general rule, white collar non-violent crime gets punished far less than violent crime (here in the USA). Especially when the defendants have lighter-colored skin. Obviously, its doubtful the judge will apply the maximum sentence of 10 years.
I feel white-collar crime is not punished often and consistently enough in the US when you consider the amount of damage to society and poverty it causes. Poverty being a definite correlate to VIOLENT crimes. In theory, this real money damage caused by this guy (as explained by earlier comments) could have been used for any number of things, such as researching new drugs or lowering the cost of drugs.
I think the term logic bomb is inaccurate in this instance. The actual term should be 'Time Bomb'. A logic bomb is set to 'go off' when certain conditions are met, a time bomb is set to 'go off' on a particular date/ time.
Real costs when things go horribly wrong ...
While any "what if" costs can be healthily debated, having been involved in a number of investigations I can easily believe that the costs stated are the real cleanup costs.
When someone goes rogue or commits fraud, one of the first steps after backing up everything is to "size the hole". You can't rely on the suspects admissions, or that you have found all the damage, all the fraudulent transactions, etc. That means you've got to look through everything.
IT wrongdoing often doesn't have a hard dollar hit, yet the investigations do. Even in financial frauds, the investigation and remediation can be more costly than the actual fraud.
Consider, how much code could a rogue sysadmin with access to over 70 servers taint? How good are the logs? Can you rely on them? How long will it take to go through it all? How deep could it be planted? How would you make sure your systems were safe? Are you going to rely on the seemingly obvious fact that you have an incompetent bad guy?
If you're going to charge the person, you almost certainly have law enforcement or forensic help to preserve the chain of evidence.
The bills add up very quickly even if you don't hire consultants.
ballooned recovery costs
They always floor me when I read them. Someone I know was charged under the same law for unauthorized access to a Cisco router. He used the default password to log in *and* enable on the system. He changed the password to something a bit more secure and put a login banner describing what happened and who to contact for the password. He was getting hammered by Cisco ICMP floods that null routed his IP addresses from his provider and decided to go vigilante and secure some routers on his own.
Anyway, the one single event in question blew my mind. The defendant stated it took 29 hours (at some insane rate/hr) to repair the damages (remove the banner, change the password). In total it was estimated at over $11,000.
While I do have some choice words to describe my friend's actions, two words come to mind to describe the defendant: incompetent, negligent.
I guess it pays to be stupid.
I'm seeing several posts arguing about the use of "logic bomb". The one I find particularly funny is: "I think the term logic bomb is inaccurate in this instance. The actual term should be 'Time Bomb'. A logic bomb is set to 'go off' when certain conditions are met, a time bomb is set to 'go off' on a particular date/ time."
So... the arrival at a certain date and time isn't classified as "certain conditions are met"? I guess you're just a curious bystander then, and evidently have nothing actually to do with the IT industry. A time bomb 'explodes' (or in this case, activates) when "certain conditions are met", those being when $DATE=today and $TIME=now. Learn something before tapping randomly on your keyboard.
Back on topic: as for the guy, I think he should be punished as badly as he can be. Patient safety, research data - quite apart from the money, as has been noted already, it's also the human hours spent on this which then backs up all the other tasks needing done, creating a huge amount of work for already under-appreciated admins. Slap this guy's face. With a server.
@Simon it's not clear that the guy was treated shoddily. It says he was concerned for his job after a his company was spun off.
I've seen several cases of disgruntled employees where they were not treated shoddily. In a couple of cases the employee badly abused the trust of an employer who was trying to be flexible and accomodating.
In this case, I suspect the costs are a reasonable. Possibly a bargin.
But you and others are correct, sometimes the damages in these sorts of situations are unreasonable. But who's actually gouging whom?
I can't speak to all of these, but I've seen a number of cases where the company was naive and hires a contracter that takes them to the cleaners. Why? Cluelessness and greed.
I've seen cases of multiple abuses. Often the first guy that gets caught finds they're at the bottom of a dog pile. Much easier and far less embarrassing to unload the whole wad at once on one person.
Ha Ha (in the style of Nelson Muntz)
Soooo... if I get fired, all I need to do is say 'logic bomb'?
and my ex-employer automatically looses 70-120k
Well that settles it, no need to actually get in trouble, it'll be more fun knowing they spent so much looking!
(hmm on correct post this time..)
Jason Togneri: If you want to get snotty about it, a time bomb is a subset of logic bombs. In this PARTICULAR case, it was SPECIFICALLY a time bomb. A logic bomb would trigger on specific events, which do not need to be date/ time related. As you said, "A time bomb 'explodes' (or in this case, activates) when "certain conditions are met", those being when $DATE=today and $TIME=now" You used the term 'Time bomb' reinforcing what I said, so why the dispute?
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star