back to article Ex-Citibank IT bloke wiped bank's core routers, will now spend 21 months in the clink

A former employee of Citibank has been sentenced to 21 months in prison for crippling the bank's internal network. Lennon Ray Brown was given the nearly two-year jail term – along with a $77,000 fine – by a Northern Texas District Court this week after he pleaded guilty to one count of intentional damage to a computer. Brown …

  1. Anonymous Coward
    Anonymous Coward

    Lock out their accounts first...

    ...then fire the twat.

    1. Stoneshop Silver badge
      Holmes

      Re: Lock out their accounts first...

      IF you intend to fire the twat. Just a poor performance review would be insufficient cause for such a measure. "Poor performance warning" plus "tendency to go postal" probably would.

      1. Nano nano

        Re: Lock out their accounts first...

        Well, in this case, "tendency to go Banksy ..." ?

    2. This post has been deleted by its author

  2. vir

    "I'll show you poor performance..."

  3. Stoneshop Silver badge
    Headmaster

    reprimanded for poor performance.

    Not to mention poor grammar.

    1. Aremmes

      Re: reprimanded for poor performance.

      Perfectly cromulent Texas speak there, I'm afraid.

      1. ecofeco Silver badge

        Re: reprimanded for poor performance.

        Cromulent. Have an up vote.

        1. Anonymous Coward
          Anonymous Coward

          Re: reprimanded for poor performance.

          Cromulent. Have an up vote.

          I'll give the OP that. But only that.

      2. This post has been deleted by its author

    2. Michael Strorm

      Re: reprimanded for poor performance.

      @Stoneshop; "Not to mention poor grammar."

      Someone asked him about his poor grammar, and he told them that, yes, it was very sad, she'd never been quite the same since she got run over by a reindeer.

  4. Version 1.0 Silver badge

    And todays lesson is?

    a. He's a twat.

    b. Because it's possible to do this and not get caught.

    c. You can only backup so much stuff.

    d. You can't backup everything.

    e. Look on the bright side - it could have been A LOT WORSE.

    1. Gordon 10 Silver badge

      Re: And todays lesson is?

      Indeed he deserved the jail time for bragging about it and getting caught.

      1. You aint sin me, roit

        Re: And todays lesson is?

        But if he hadn't bragged about it then his superiors would just assume that he'd messed up again - typical incompetent IT staff.

        Whereas he wanted to show the world that while his performance might be poor he was still an important person because he could do some damage. But not too much damage, because he only wanted to give them a warning.

        He wanted his masters to know that he was somebody... that he could have been a contender!

    2. asdf Silver badge

      Re: And todays lesson is?

      21 months in a Texas jail will probably help with an attitude adjustment. Did he honestly think his career was ruining when he wasn't even fired and could simply look for a new job? Well now it almost certainly is. Idiot.

    3. macjules Silver badge

      Re: And todays lesson is?

      Indeed, and I might surmise that in jail in Texas he may well be 'taking one for the team' now.

      1. Kumar2012

        Re: And todays lesson is?

        "Indeed, and I might surmise that in jail in Texas he may well be 'taking one for the team' now."

        FTFY: Taking one from the team ;)

        1. asdf Silver badge

          Re: And todays lesson is?

          Meant ruined. 10 min I still can't get it right.

  5. Anonymous Coward
    Anonymous Coward

    The need for software defined networking

    All the ethical and education issues of this individual aside,this sure seems to make the case for SDN. The idea that a single rogue administrator could wipe out 1/2 of the networking and then cause a significant amount of disruption seems like a big problem. Even though SDN is frequently sold as a cheap way to build a network on commodity gear, the real benefits are in more control of networking configurations and more automation of provisioning. Once SDN take hold, the old days of having a config file deleted from a switch and causing a major disruption will be long gone. All vendors are moving to a SDN strategy, from the smallest to the largest, because it is what the industry needs.

    1. Version 1.0 Silver badge

      Re: The need for software defined networking

      It seems to me that with SDN the outage could have been quite a bit more subtle.

    2. Erik4872

      Re: The need for software defined networking

      Not sure about that one. SDN is great for desired state config and the ability to use crappy white box switches instead of Cisco gear, but those configs live somewhere and are managed by someone. It wouldn't take much for someone with enough access to turn all of that SDN gear into a bunch of dumb, unconfigured network ports. In theory they could just melt the whole network into a pile of goo by blanking out the software configs. Granted, it's easier to get back online if you're smart and archive your configs, but network admins generally don't like sharing control of things.

    3. razorfishsl

      Re: The need for software defined networking

      And SDN runs on what?

  6. Bob Dole (tm)
    Facepalm

    PSA: What to do when you're unhappy in your job.

    On today's episode of "What to do" we will answer a question sent in by Lemmon:

    Lemmon: "I'm unhappy in my job and my boss just reprimanded me. Should I burn the place down?"

    Answer: "There is no need for theatrics. Anything you could possibly think to do will only cause everyone to see you in a bad light. Instead, just find another job. Preferably one that your skills are matched to. Causing intentional harm, even to computer equipment, is considered bad form and no one will sympathize with you; especially not pointy haired bosses who will make it their life mission to see you hang."

    That's it for today's episode. Tune in tomorrow when we explore the downsides of time card fraud.

    1. Anonymous Coward
      Anonymous Coward

      Re: PSA: What to do when you're unhappy in your job.

      Wait, there's a downside to time card fraud????

  7. g33k3ss
    Thumb Down

    Pah!

    A good BOFH would never have been caught. And he would have taken out the backup routers too. Try harder next time.

    1. Mark 85 Silver badge
      Meh

      Re: Pah!

      True... but then his co-worker(s) wouldn't have received the email about his sacrifice and "taking one for the team".

      He reminds of certain wrong doers who have to upload pics, vids, etc. about their wrong-doing. This guy doesn't even qualify as a PFY.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pah!

      "A good BOFH would never have been caught... And he would have taken out the backup routers too. "

      surely a good BOFH would have taken out just the backup routers, then waited a week or two - then get the Boss to cause the active/primaries to fail?.

      1. h4rm0ny

        Re: Pah!

        A BOFH wouldn't have got worked up in the first place - they'd just be slacking in the server room and blinding any manager who tried to call them on it with a barrage of technobabble and excuses the manager wasn't qualified to refute.

        To do something like this person did, you actually have to care about your job.

    3. Nano nano

      Re: Pah!

      And would have left an ISIS-related calling card, to mislead ...

  8. Unicornpiss Silver badge
    Thumb Down

    Just another unstable idiot

    -He overreacted to a bad review. Seriously, let them fire you then collect unemployment if you are in the right. At least cool off and then think about what you're about to do before wreaking havoc.

    -He'll never find another IT job worth having.

    -He bragged about it. And using poor grammar. And got caught. Unforgivable.

    -What did his actions do except inconvenience a lot of people that did nothing to him? If nothing else, it now will look like his supervisor was right on the money with his review, whether or not it's true.

    -What "team" did he "take one" for? All that's likely to happen from this is ridiculous security measures and scrutiny that will make it harder for his successors to do their jobs, similar to the idiocy of not being able to take nail clippers on a plane right after 9/11.

    A disgrace to our profession. Perhaps he'd be better off finding a nice job in lawn care.

    1. Boork!
      Trollface

      Re: A disgrace to our profession. Perhaps he'd be better off finding a nice job in lawn care.

      Hyuk, hyuk! Ah done put gum in the water sprinklers. That'll learn them!

    2. Erik4872

      Re: Just another unstable idiot

      "Seriously, let them fire you then collect unemployment if you are in the right."

      Indeed. I think it was on my third or fourth big-company job that I realized, if I wanted to, I could just stop working altogether and it would take at least a few months to get through the procedures required to get rid of me. And this is in 'Murica, working for at-will employers. The first bad review is just the first step. When you get one of those, the grown-up thing to do is to use the time you have left to find other work, since you've been targeted for termination already. The immature spoiled kid thing, obviously, is to circumvent that whole process by clumsily sabotaging your workplace.

      "He'll never find another IT job worth having."

      That I'm not so sure about. IT has a bit of a French Foreign Legion mystique, in that you can just run away to a new location and get a job pretty easily after screwing up badly. I've personally witnessed this -- a company I worked for hired some "rockstar" systems architect who I thought was clueless. I did a little digging and it turned out he presided over a multi-million dollar failed project somewhere else as the chief architect. Now, he's going to have a criminal record so that's going to be a problem. But if he didn't, and just got fired because he was incompetent, all he would have to do is clean up his resume and walk into the nearest technical recruiter for immediate placement. If I were king of the IT profession, that's one thing I'd want immediately -- personal responsibility for bad work and liability malpractice-style.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just another unstable idiot

        "I think it was on my third or fourth big-company job that I realized, if I wanted to, I could just stop working altogether and it would take at least a few months to get through the procedures required to get rid of me."

        I once worked with a guy who actively, and openly, used to do exactly that. He told me that it took on average about a year for an employer to get rid of him. He used to come in the office for about 11, take a couple of hours lunch, then leave at about 4.

        He was obviously mentally ill though, the poor guy. The company never actually had to fire him as he stopped coming in after a couple of months because he reckoned another co-worker was out to kill him.

        I could tell you some even more bizarre tales but it wouldn't be fair as he'd be identifiable with just a bit of Googling if I were to do that.

    3. BillDarblay
      Holmes

      Re: Just another unstable idiot

      "-He'll never find another IT job worth having."

      ROFL - does an IT job exist that is worth having?

    4. Fatman Silver badge
      Joke

      Re: Just another unstable idiot

      <quote>Perhaps he'd be better off finding a nice job in lawn care at a fast food establishment.</quote>

      FTFY!!!

    5. Anonymous Coward
      Anonymous Coward

      Re: Just another unstable idiot

      Now, now - gardeners have feelings too!

      I reckon that twit will get the engine to drop a cam (assuming 4 stroke) or forget to add oil (2 stroke).

      On another note - use SNMP to reboot the routers and wipe the config in order to circumvent TACACS+/Radius.

      AC for obvious reasons.

      Disclaimer - the garden behind my house either looks like a jungle or like the Goby desert ...

  9. MooJohn

    Real criminal off the streets!

    People who commit real (physical) crimes get probation or a slap on the wrist. This guy slowed down a network (didn't even manage to take it offline) and gets 2 years in prison. Priorities, anyone? I've had janitors accidentally cause a bigger outage than this!

    He could have shot someone and would have received 6 months in the county lockup.

    1. Dan 55 Silver badge
      Devil

      Re: Real criminal off the streets!

      Banks are sacred and must not be desecrated. They must be allowed to bring the economy to the edge of collapse.

  10. SpammFreeEmail

    Everyone seems to have missed the point here......

    If he started out as a contractor (a form of job vetting) and then became full time, how did Citiwank not pick up on the fact he was slightly off the reservation?

    Looks to me like a classic case of budget constrained decisions having bad repercussions.

    1. Dadmin
      Facepalm

      Re: Everyone seems to have missed the point here......

      Not to mention that his tactic was about as subtly clever as his grammar. A very low level, weak attempt at causing some damage inside a bank network. There's a reason this was not titled "Bank DBA goes postal and erases all data and backup data, then clobbers the terminals at every branch before causing all coffee machines to blow searing hot java all over the execs!"

      Simply put, to be a DBA you usually need some specialized skills, the kind of skills smart people have and use to get good jobs, not shitty jobs at some crap bank where you're at best a low-level network guy. No offense to all networking folks, of course, but yes, this is a small-time lashing out of a small thinker. There's no "I'll show them by getting a better job and being successful and happy without them!" It's all self-destruction and self-pity. They probably had the network back to rights in about 8 minutes when the network guys (that don't suck at their jobs) got back from lunch. Still, one less shitty admin pretending to be a quality IT guy to deal with, so there's that.

      1. Marshalltown

        Re: Everyone seems to have missed the point here......

        Given what was possible, it seems unlikely he intended not to damage anything. Then too, Citi, you got remember it was Citi. They were the ones caught pushing "subprimes" and wound up losing three-quarters (or more) of the value of the stock back in the 'oughties. Performance? He might have a point about upper management.

      2. The Vociferous Time Waster

        Re: Everyone seems to have missed the point here......

        Obvious troll is obvious.

        Everyone knows network people are better paid and more respected while DBAs are rounded up in the job center with a large net.

        The hierarchy goes like this:

        Firewalls & Loadbalancers

        Routers & Switches

        UNIX servers

        Oracle DBA

        SQL DBA

        VoIP/Telephony

        Windows Servers

        Desktop support

        1. TonyJ Silver badge

          Re: Everyone seems to have missed the point here......

          "...Obvious troll is obvious.

          Everyone knows network people are better paid and more respected while DBAs are rounded up in the job center with a large net.

          The hierarchy goes like this:

          Firewalls & Loadbalancers

          Routers & Switches..."

          Maybe in support terms. Dunno - have been out of it for many years.

          Alternatively it goes along the lines of:

          Director

          Sales

          Pre-sales architect

          Architects (take your pick - solution, lead, techincal etc)

          Delivery engineers

          Site support engineers

          Helpdesk

          Support managers

          ;-)

        2. Anonymous Coward
          Anonymous Coward

          Re: Everyone seems to have missed the point here......

          Hello this is the 1980's, they asked for their job titles back.

        3. TheVogon Silver badge

          Re: Everyone seems to have missed the point here......

          "The hierarchy goes like this:"

          Not anywhere I have ever worked. Networks / telecoms = sewers and drains department = it should just work and no one needs to see it. Near the bottom of the stack...

  11. Anonymous Coward
    Anonymous Coward

    AMERICA....FUCK YEAH....

    Working in the UK for a US firm and I can see why he lost his shit. While it's inexcusable to do what he did (yes, the grammar part) American managers seem to have an uncanny ability to completely ignore any suggestions from the 'peasant classes' while simultaneously making sweeping changes to systems and processes that worked perfectly well before and are now, and shall be for evermore, fucked. He probably got chewed out for refusing to work an extra 2 hours each day...If you dont sacrifice your first born for the good of the company you are just not trying hard enough.

    Guy was also a bit of a noob for bragging about it, he probably would never have been caught otherwise. I have worked in places where a fee key presses would basically have ended the entire company. Obviously, we don't actually think about doing this...you know, because ethics.

    1. Wilseus

      Re: AMERICA....FUCK YEAH....

      "He probably got chewed out for refusing to work an extra 2 hours each day"

      Sounds just like the video games industry...

    2. Hollerithevo Silver badge

      Re: AMERICA....FUCK YEAH....

      There is a strange cult of the Manager in the USA and in American firms, at least in my experience. A Manager is some sort of special being, unquestioned no matter what his or her level of competence. Their main activity, as far as I can see, is to hire sub-managers and deputy managers so that they are managers of managers, and therefore doubly sacred. The opinion of the actual person doing the job weighs nothing. It's very curious. As I come in as a contractor or consultant, I tend to get paid more attention (especially as a consultant), but managers really do end up drinking their own kool-aid and believing themselves special.

  12. John Smith 19 Gold badge
    Unhappy

    Ethics..

    Isn't that a town in Vermont somewhere?

    Sabotage is rarely the answer.

    Clumsy sabotage is just bungling on a large scale.

    1. Bloakey1

      Re: Ethics..

      "Isn't that a town in Vermont somewhere?"

      <snip>

      No! Ethics is a travel book written by Chris Eubanks.

      When he finished he promised to write others about Sussex and Wessex.

      1. MJI Silver badge

        Re: Ethics..

        Don't you mean Thuthex and Wethex?

        1. LionelB

          Re: Ethics..

          Don't mock his speech impediment...

          http://hyperboleandahalf.blogspot.co.uk/2010/02/spaghatta-nadle.html

      2. Eltonga
        Joke

        Re: Ethics..

        Well, where I live Sussex is a kitchen towel tissue paper brand... I think it adds to the topic.

    2. Lotaresco

      Re: Ethics..

      "Isn't that a town in Vermont somewhere?"

      Nah, it's in Pennsylvania within the triangle bounded by Vintage, Intercourse, Paradise.

      It's also a county in England where everyone talks funny, innit?

  13. Anonymous Coward
    Anonymous Coward

    I once had to work with a manager

    I once encountered a newly hired manager of another team, a b@st@rd ... This guy really managed to get me very upset, I reported the incident ... needless to say, I was not the only one ... he eventually "left" ... before leaving, he sabotaged one of my Windows servers by removing me from local admin group.... apparently, I had been the first to complain about him... IT solved the issue in 2 minutes, so no big deal, but really, why would you do something that silly ?

    1. TonyJ Silver badge

      Re: I once had to work with a manager

      "....I once encountered a newly hired manager of another team, a b@st@rd ... This guy really managed to get me very upset, I reported the incident ... needless to say, I was not the only one ... he eventually "left" ... before leaving, he sabotaged one of my Windows servers by removing me from local admin group.... apparently, I had been the first to complain about him... IT solved the issue in 2 minutes, so no big deal, but really, why would you do something that silly ?..."

      You just reminded me of a time, back in the late 90's when I was fairly new to support. We had a guy who usually did hardware repair (my own background) building some servers for us from a script.

      I'd moved over from being the team lead in the hardware workshops and had repeatedly had to have words with this chap because of what was basically laziness.

      Anyway, he wanted to get into the projects side of things and despite various warnings he was being given bits of internal setup and support work to do.

      Anyway it turned out that on each of the servers he was building for us (these few were standalone, not domain joined) he created accounts for all the necessary people except me.

      It was a pain for all of a few minutes to log in as the local admin and add myself but really, all he achieved was another dressing down from his line manager for his obvious stupidity.

  14. Erik4872

    Amateur hour, makes all of IT look bad

    I'm assuming this lovely specimen worked as a NOC guy or similar -- why didn't he pull a Terry Childs and hold the network configs hostage until he got whatever satisfaction he wanted? A real BOFH would have wiped out all the network documentation, _and_ the primary and backup config files on all the equipment before casually heading off to lunch.

    The thing I worry about is stories like this getting around to the executive classes and prompting more of them to consider replacing the "scary unstable neckbeards" with polite-but-incompetent offshore Tata or Infosys employees. People like this guy make the entire IT profession, including those of us who actually do a professional job, look bad in front of the decision makers. I've worked with a few people like Lennon Ray Brown (in terms of their personality, not their actions thankfully.) Let's just say some of these folks might have come back with a weapon of some sort if their boss gave them a bad review, not just wiped some router configs. IT does attract some intriguing personalities.

    I've often opined that it's time for the IT and software development professions to grow up and actually establish a standard of professional work. Doctors and professional engineers do this, and the reward is a much more stable work life. Why are we still married to the romantic notion of the cowboy admin or coder doing things with no regard to how they could affect others?

    1. Andy E

      Re: Amateur hour, makes all of IT look bad

      I can see where your coming from but the rate of change in the IT Profession would mean any standards would be out of date the day after they were published.

    2. Nano nano

      Re: Amateur hour, makes all of IT look bad

      No, a REAL BOFH would have put the network config wipe into a timed job running a month later - when he was in another job anyhow.

      1. rfink13

        Re: Amateur hour, makes all of IT look bad

        An expert BOFH would have installed a "still here" bomb with the payload activated a random number of days after it detected his account had been disabled or deleted.

    3. Anonymous Coward
      Anonymous Coward

      Re: Amateur hour, makes all of IT look bad

      If you're going to do it, do it right.

      First, kill the backups. You don't even have to delete them. Just cause them to silently fail and give it a week. Any organization that lives by the data it collects daily is going to have an incredible time recovering if their primary data is scrambled and the backups are over a week old. Also, if you have the access, make sure the log files are set to delete themselves and roll over every 12 hours. If you are good then you'll figure out how to make sure those fail over drives/servers don't actually fail over correctly...

      Second, remove the important bits from the documentation. Again, you don't have to delete it all. Just some of the parts that actually matter as this will cause an untold amount of running around while people figure out what's wrong. Most people don't refer to any documentation until they have to; which means you should have time before someone realizes the docs are bad.

      The third part is to just wait until things crash on their own. It might take awhile but they will. Patience is key. If you happen to work in networking and want to hurry things along then all you have to do is "incorrectly" configure a router allowing certain external traffic to route to an insecure server and let the internet do the rest... Heck, how often do network admins check on router configs if everything seems to be humming along?

      Of course, the problem is that people want to be the ones that push the "delete" button that causes everything to failscade. Then they want to watch it burn and finally they want to talk about it. Each of those things are exactly why people are caught.

    4. BillDarblay

      Re: Amateur hour, makes all of IT look bad

      "People like this guy make the entire IT profession, including those of us who actually do a professional job, look bad in front of the decision makers."

      Perhaps he was sick of being passed over a pay rise in favour of fawning, grasping, "Look at me, Look at me!" inadequates

  15. LDS Silver badge
    Joke

    In Texas, he would have been pardoned...

    ... if he had opened fire with a shotgun at the routers. The issue was it made it in a nerdy way moreover against those sacred institutions in the US banks are.

    1. Teiwaz Silver badge

      Re: In Texas, he would have been pardoned...

      Damn it, I've just got a mental image of Yosemite Sam. That'll not go away until I watch some Bugs Bunny. Gee, thanks LDS, he's set up a saloon in one corner of my brain and won't be quiet.

    2. Tom 7 Silver badge

      Re: In Texas, he would have been pardoned...

      The company he worked for were lucky they didnt give him a patent on this and hand the company over to him.

  16. CheesyTheClown

    Caused congestion?

    Unless he configured new links/routes, then the routers and switches in the network should have been run in pairs and the links should have been somewhat redundant in their design.

    It appears that someone on the network team was doing a REALLY poor job if the loss of a link causes congestion. Don't get me wrong, this guy should be shot, but... I would be seriously embarrassed to publicly pronounce that the lost of a single link would cause my network to become "unusable" due to congestion in the banking industry. I know he shut down 9 routers... but unless there was a total rats nest in the infrastructure, the congestion would reoccur if a single link went down.

    Sue the guy for intentionally threatening the stability of the network, don't air your dirty underwear like this.

  17. paulc

    One of these days...

    For critical commands, they'll introduce having to have two different accounts logged in to issue them, one to invoke it, the other to approve it...

    1. rfink13

      Re: One of these days...

      The company I work for would just give the IDs and Passwords for both account as a time saving measure.

      1. Vic

        Re: One of these days...

        The company I work for would just give the IDs and Passwords for both account as a time saving measure.

        One manager at the company I used to work for demanded all administrative passwords I held on any machines. Even the ones belonging to an entirely different group[1]...

        Vic.

        [1] Yes, the other group should have changed those passwords when I stopped working for them. But they didn't, however often I reminded them that they should.

  18. Anonymous South African Coward Silver badge

    This sort of thing scare me - by realizing that I literally hold the future of the entire company in the palm of my hand.

    Wiping out/corrupting backups, then wiping the server and skedaddling off is a sure way of crippling the company seriously...

    ...but because of ethics I won't. But it still scare me, and I have to fight the darkness within me every day.

    1. Anonymous Coward
      Anonymous Coward

      Drop the SAN

      You can cause all levels of untold havoc, just by deleting the LUNs off the SAN, and have that replicate across the nodes.

      Especially VMFS ones.

  19. Nifty

    Last router standing

    Surely he'd have to leave 1 router running in order to delete the config of the others?

  20. Nunyabiznes

    Martyr

    You guys are missing his pathological need to "show them". He probably did have a real bunch of wankers for bosses but the real issue was his self importance.

    It is an easy trap to fall into.

    Document what they tell you to do, then do it. And polish the resume.

  21. Mahhn

    Better choices

    Having been in a situation with 90% crap managers and HR dept (Dell), my outlet was to find another job and write honest reviews of the employer. No matter how much I was abused, I would not lower myself to abuse my position, "my work" represents "me", not those that abuse me. He deserves punishment for being a dick to his team and poor work ethics.

  22. Gis Bun

    "They was firing me." Yup. That's Texas!

  23. Anonymous Coward
    Anonymous Coward

    There is a time-tested formula for screwing someone over without consequences...

    What you do is offer to sell that person high-priced securities built on AAA-rated but yet worthless collateralized debt obligations, then when they buy them you short those same securities yourself and wait for them to implode. Based on the experience of the last 10 years, it seems clear there's no way for someone to get in trouble for that.

  24. EJ

    IT Suicide Bomber

    Nothing better justifies the judgment of management in firing/sanctioning an employee than when said employee turns around and pulls a stunt like this in response.

  25. Jerry G.

    Trust

    This man is an idiot. He will never be able to have an IT or systems analyst job most likely for the rest of his life. This man will never be trusted. He will be lucky if he can get a floor sweeping job. Employers would never want to employ someone who can turn on them.

  26. Unicornpiss Silver badge
    Meh

    I felt the urge to do the same once...

    I had gotten laid off from my job, partially from my own growing dissatisfaction, partially from politics and the director's nepotism. I was administrator of a call center and a hundred or so POS systems (in both senses of the acronym) Most of our systems ran on Red Hat Linux, which is inherently secure, but the company that sold our software and solutions had these set so that a number of logins could be used with no password to accomplish certain things. Like "backup", "net on", etc. What I had discovered previously was that I could use one of these little gems that didn't sanitize its input to add command line switches to one of these logins, which essentially accomplished their tasks as root on the box. I couldn't wipe a file system this way, but a bug in the way one of the switches was handled would cause the system's boot configuration to be wiped, rendering the machine unusable at the next reboot, and requiring an on-premises visit by someone who really knew Linux to fix it. I had also discovered that doing this left no meaningful trace in the logs on what had occurred.

    I had thoughts of driving perhaps 100 or more miles away, using a laptop on a payphone or other anonymous line to connect to the support modems, do my deed, and watch the havoc slowly play out over the course of months, as these servers were not rebooted often, being Linux.

    While I doubted that I would ever have been caught, especially with the level of competence remaining, and thoughts of punishment if I was caught did enter into my decision, in the end I just didn't want to be "that guy." It was personal ethics and realizing that while it would have certainly hurt the company and made for a lot of stress for management, really it would have caused a lot of bad days and misery for the lower-level unappreciated people that would have had to endure the chaos of trying to operate manually until things were fixed. People that liked me and greeted me by name with a smile, knowing I was there to help them. (in the past) And people that I liked and cared about as well.

    Still, while I never did any harm, it was somehow comforting to know I held that remaining power as I went through the odious process of having to look for another job at a bad time in my life. Maybe similar to those that have guns in their homes that will probably never be used, but having them there gives some sense of security.

  27. middyb

    So you can launder 347 billion for Mexican drug cartels at Wachovia and not serve a day behind bars but at Citibank you cause some temporary network congestion and it's 23 months? Seems a bit wrong if you ask me.

  28. Anonymous Coward
    Anonymous Coward

    Not the best career move, but you get a feeling that things like this will become ever more common.

  29. Anonymous Coward
    Anonymous Coward

    Racist comments

    The people commenting about his grammar and laughing at "Texas" are actually racists. Any American can gather that from his speech pattern.

  30. highdiver_2000

    What happened to ACS?

    10 core routers config deleted. I guess they don't have ACS and TACACS? Or the controls on the ACS was just an after thought.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019