back to article IT boss gets 30 months of porridge for trashing ex-employer's servers

A rogue IT manager has been sentenced to 30 months in prison after he changed jobs and decided to take revenge on his former employer. From 2007 to March 2012, Nikhil Nilesh Shah, 33, worked at mobile apps developer Smart Online in North Carolina, US. After moving on to another job, Shah accessed his old company's servers …

  1. Youngone Silver badge
    Black Helicopters

    iPhone

    The article leaves out whether or not the FBI asked Apple to decrypt the perp's iPhone.

    I'm guessing yes.

    1. Anonymous Coward
      Anonymous Coward

      Re: iPhone

      Who knows what sort of phone he had? Have you ever tried to crack anything using a phone - it's really tough due to the small screen?

      The article also leaves out the time of the next high tide at Newlyn - a dreadful omission.

      I'm guessing you're pissed.

      1. Mike Scollan

        Re: iPhone

        I understand the point the OP was making pefectly.

        Your point eludes me though.

        I'm guessing I must be pissed too then.

      2. Peter Simpson 1
        Happy

        Re: iPhone

        Have you ever tried to crack anything using a phone - it's really tough due to the small screen?

        Not like the old Western Electric phones. You could use their handsets to crack walnuts.

        // my lawn. off it.

      3. oneguycoding

        Re: iPhone

        Every time I try to hack one of my ex-employers using my phone I get annoyed before I even finish typing their host address, ssh foo.bar ... ah feck it.

    2. Anonymous Coward
      Anonymous Coward

      Re: iPhone

      It's interesting your 'cloud' data are not protected by the very same companies who resist unlocking a phone. Apple too handed over iCloud backups and no one complained. Why backups should not be protected as much as the phone itself? And it's an implicit admission cloud data are accessible by the cloud company. So the iPhone battle is just a marketing stunt to try to sell more. And maybe Apple already breaks in them routinely - secretely - to sell them in places like China.

      Never put your rights in the hands of someone moved only by money interests.

      1. DaddyHoggy

        Re: iPhone

        Apple handed over the iCloud data to a company owned phone - so the data was not legally Farook's and Apple had no issue about handing over Govt Agency data from a Govt Agency Phone, to another Govt Agency - because that mechanism already exists (Apple says your iCloud data is safe as long as it's legal - it's in their T&Cs)

        Farook's iPhone could have had an app installed that would have given the phone's legal owners the ability to prevent him putting in his own passcode to lock the phone as it is now. But they bought the software, but never got round to installing it. This is their fault, not Apple's.

        The crack that the FBI require to the 5C does not exist, Apple will have to engineer it - it will still only give the FBI the ability to initiate a brute-force attack on the passcode - they may still not actually ever (in a sensible time) find the passcode and therefore unlock the phone's secure partition.

        As has been said many of thousands of times - it's not really about the data on the 5C any more - it's about setting a legal precedent so that Apple (and no doubt other manufacturers eventually) can be compelled to do this repeatedly until it becomes necessary to simply install a backdoor into the device.

        You should probably read more of the background to the story before making stupid comments - is this why you posted as AC?

        1. Sleep deprived

          Re: iPhone

          Instead of just asking for a crack that will allow it to brute-force the iPhone, why doesn't the FBI ask for a crack that performs the brute-forcing itself, iterating passwords until the valid one is found?

    3. Matt Bryant Silver badge
      Facepalm

      Re: Youngone Re: iPhone

      "The article leaves out whether or not the FBI asked Apple to decrypt the perp's iPhone....." Given the trail of evidence left I seriously doubt they needed to hack anything! Mind you, that does probably peg him as an iPhone user.....

  2. Captain DaFt

    Dumb git cubed

    Dumb for doing it, dumb for the way he did it, and dumb for bragging about it.

    Must have really wanted to spend time in Club Fed.

    1. Medixstiff

      Re: Dumb git cubed

      I have never worked or met a fellow IT person that would do this utterly stupid stuff, maybe because we all know we would not do well in prison.

      1. Halfmad

        Re: Dumb git cubed

        I don't know anyone who would remote in after leaving to do it. Do it whilst you are there, set it to go off well after you've left etc.

        Employers are typically very bad at handling staff leaving, personally now I work in IT security I'd like admin rights stripped from any staff the moment they hand their resignation in.

        1. Anonymous IV

          Re: Dumb git cubed

          > I'd like admin rights stripped from any staff the moment they hand their resignation in.

          How would this help? If this is a known policy, then surely a nefarious individual would do all the naughty stuff before handing in their resignation?

          (As you said in your first paragraph...)

          1. John Brown (no body) Silver badge

            Re: Dumb git cubed

            And most people who leave or resign as opposed to being fired or made redundant are not nasty little shits out for revenge and are likely to remain productive while working out their notice period. After all, they may want references in the future or even to come back at some stage.

      2. LucreLout

        Re: Dumb git cubed

        @Medixstiff

        I have never worked or met a fellow IT person that would do this utterly stupid stuff, maybe because we all know we would not do well in prison.

        Yes, I'd be very popular in prison, which is why I really don't want to go there!

        No matter what kind of bad joke company I may be working for, there's nothing they can do to me that I'm going to feel is worth being made to shower with a bunch of men that haven't seen a woman in years or decades, and who've been busy hitting the gym while I've been hitting the burger bar.

    2. Michael Thibault

      Re: Dumb git cubed

      Three dumbs and... not quite out: at least he had the sense to plea bargain a relatively short engagement at Club Fed, followed by a decade or more of abject poverty, which he'll be able to savour while walking aimlessly about, or--if he's lucky--from job interview to job interview. Don't do the crime...

    3. allthecoolshortnamesweretaken

      Re: Dumb git cubed

      The guy is clearly prime management material.

  3. Phil Kingston

    No policy of changing passwords when tech staff leave?

    Bet they have one now.

    1. Anonymous Coward
      Anonymous Coward

      We do not change passwords. We have a policy there are no shared passwords. Only nominal accounts that are disabled and then removed (they are not removed immediately for accounting reasons).

      1. Doctor Syntax Silver badge

        "We do not change passwords. ... accounts ... are not removed immediately for accounting reasons"

        So why not change the password immediately? Your procedure leaves you at risk until the account is deleted.

        1. Ragarath

          I'm guessing s/he does as we do. The account is disabled until deleted. No point changing the password.

        2. Anonymous Coward
          Anonymous Coward

          The part of the quote you omitted about ...are disabled... is the key. Can't log into a disabled account. We do the same here.

          1. Phil Kingston

            Yep, disable is, in my experience, best. Cos then you pretty quickly find which critical services they'd set to run as their own user account. Which can then be fixed properly.

            Then someone has the lovely task of sorting all switches, service providers, routers and other kit/services not using centralized authentication.

            But I know a lot of places that wouldn't even have a list of what needs changing.

    2. Tony S
      Pint

      Ummm...

      "No policy of changing passwords when tech staff leave?

      Bet they have one now."

      You'd think so wouldn't you; but based upon the average company's methods of working, I'd be prepared to bet they've done SFA and won't do anything until it's happened another couple of times.

    3. DavCrav

      "No policy of changing passwords when tech staff leave?

      Bet they have one now."

      On the contrary, I wouldn't be surprised if his logon details were still valid.

    4. introdium

      right.. cite those idiots left behind for not doing that BASIC TASK.

  4. nedge2k

    Triangulate?

    Wait, what? I was always under the impression telco's only ever stored info about the cell you were connected to and that they only triangulate on request? There's a big difference between you being within a certain radius of a cell tower and actually triangulating you to within a few meters...

    1. Anonymous Coward
      Anonymous Coward

      Re: Triangulate?

      Your mobile phone always (well, almost - when possible) will maintain connection with many available nearby MBS, because it needs these to take over your active connection when you move (e.g. travel). Hence it is entirely possible to triangulate your position from MBS logs.

    2. patrickstar

      Re: Triangulate?

      It's part of the protocol for GSM et al. To fit the transmissions from the phone into the timeslot properly, the delay (== distance) to the base station must be known. So as long as the phone sees more than one base station, triangulation is essentially always done. However, the telco may not actually store the data, or keep it around for very long.

      Also it's worth pointing out that in the inner city cells are often so small that just knowing which one is the closest is enough to put you within a couple of blocks at most. (And that some telcos leak this info to the whole world over the SS7 network. Wonderful times we live in...)

  5. tiggity Silver badge

    pen & paper

    What sort of muppet would email sensitive data to themselves when simple non digital (& far harder to trace) alternatives such as pen and paper exist to make note of credentials

  6. Anonymous Coward
    Anonymous Coward

    Shah talking

    they should make a new entry into Oxford dictionary to cover this mastermind behaviour, clearly a pattern. Or a disease, or a 21century mutation, spreading like wildfire.

  7. werdsmith Silver badge

    If you want to get revenge on your ex-employer, go and work for their competitor and make a real success of it. I don't think revenge could be any sweeter than that.

  8. Alistair
    Windows

    on dismissal process

    1) disable AD account, (no permitted logins) <evict active sessions>

    2) disable (Lock password, expire account) all unix accounts <kill active sessions>

    3) change permissions on .ssh/authorized_keys to 744 < handy trick that most security folks DO NOT have in their processes> where the file exists.

    Go back through the loop and modify the username details to include appropriate tagging that indicates the account is owned by someone no longer with the company.

    and if your VPN isn't attached to AD or a unix account somewhere, *remove* the token generator from the system, and then lock the serial number out.

    Oddly I've seen stupid s&&t like this done. Not once, but twice. Both times in our case was HR leaking details to the wrong bodies prior to the action. Both times, offsite tape backups to the rescue.

    This just goes to show that Cloud is as light and fluffy as the name.

    As for the commentary about the fibbies and the iPhone.

    METADATA!!!! they have the cloud backups and they have the metadata. This is a legal move to set a legal precedent, and if Appple wins, it becomes even worse.

    1. phuzz Silver badge

      Re: on dismissal process

      You forgot to go through all of your switches, routers, VPN appliances etc. and remove any logins, and/or change the admin password. Oh, and don't forget your physical security, change keys that they've had access to (they could have duplicated them), and change any security codes they may have had.

      (and I'm sure I've forgotten some other possible problems as well)

      1. Jo_seph_B

        Re: on dismissal process

        ^This just shows its not as simple as people think to simply lock an ex admin out of systems after they leave.

        Unless you have a solid system for managing access, and I'm yet to find one thats perfect, or even close, then you'll most likely never think of everything they could access. Domain accounts, local accounts, could be created by the admin that don't appear related. I can even remember a couple of obscure passwords from service accounts that were randomly generated. They could have easily leave this stuff lingering and it'd be tricky to spot.

        You have to do something but no guarantee it'd ever be enough.

        The amount of places I've worked I could still access is untrue. Luckily for them I'm not as bitter, or stupid as this chap.....

  9. chivo243 Silver badge

    $324,462 in compensation

    Wow, this guy won't be eating well for quite a few years after getting off of porridge... Unless he gets a job at Ron's House flippin burgers...

  10. wsm

    Sentencing

    If this is like most federal prison sentences, he'll be out in about half the sentence time after being given credit for time served during the trial, time reduced for good behavior and time reduced because the prison system needs more space.

    The compensation won't happen because, as is obvious, he's got no career ahead of him. Without a big score in Lotto winnings, it's a debt that will never be paid.

    So it looks like the sentencing is largely posturing for the justice system. They want the next fool to know what he's in for.

    1. patrickstar

      Re: Sentencing

      There's very limited opportunity for parole in the federal system. Earliest you can get out (not counting time served in pre-trial detention) is around 85% or so of the full sentence; you can get a (low) number of days in 'good behavior' credit for each year served.

  11. oneguycoding
    Mushroom

    Seems appropriate

    Now how is it that they can find an appropriate sentence for this guy, but bankers and assorted wall street financiers still haven't paid for what they did in 2008. I'm starting to think that those guys are all going to walk.

    1. ian 22

      Re: Seems appropriate

      Walk? Surely they'll float away on their huge yachts, or fly away in their private jets. Walking is for peasants.

    2. Matt Bryant Silver badge
      WTF?

      Re: oneguycoding Re: Seems appropriate

      ".....but bankers and assorted wall street financiers still haven't paid for what they did in 2008....." LOL! If they had done something illegal then you can bet your pension that Obambi and chums would have rushed to court. They loved blaming the crash on "The Bankers" because it absolved them of all blame for buying votes with their broken sub-prime mortgage policies, starting with the Community Reinvestment Act (https://en.wikipedia.org/wiki/United_States_housing_bubble). But there was nothing illegal in trading in securities, including mortgage debt, and still nothing illegal in doing so even today. So there was plenty of bluster about "criminals on Wall Street" but no desire amongst Obambi's chums to actually take any of them to court and have their policies examined.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like