back to article That's a sticky Siemens situation: Former coder blows his logic bomb guilty plea deal in court

A programmer facing up to 10 years in the cooler, and as much as $250,000 in fines, blew his guilty plea deal on Monday – after he tried to avoid admitting full blame for his actions. David Tinley, 62, was in court to admit planting logic bombs [PDF] in spreadsheets he had developed for Siemens over a decade ago: if he pleaded …

  1. Anonymous Coward
    Anonymous Coward

    People should be asking Siemens......

    About the 'cracked' versions of its NX software. Install that and it gains full access to your PC and phones home to Siemens with everything on your PC and info of all servers it is connected to.

    1. jake Silver badge

      Re: People should be asking Siemens......

      Not quite. Let me rephrase that for you:

      When you install a copy of Siemens PLM, part of process includes the code connecting to Siemens to verify you have a license to use the code. This can and does occur even if you downloaded a supposedly "hacked/cracked" version (so-called "warez"). If your licensing information doesn't stand up to scrutiny, Siemens retains information about your use of the illegally acquired code, and offers you the ability to purchase a proper license instead of being fined heavily and/or going to jail for software piracy.

      It's called “compulsory licensing”. Most high-end code contains this kind of thing. Sometimes the warez doodz miss it. Caveat emptor.

      Your beef isn't with Siemens. It is with the so-called hacker/cracker who released the code to the warez world without actually making the code safe to run "anonymously". And very likely it is your own damn fault for not running the code on an airgapped machine that can't phone home, as suggested in the documentation usually included with the cracked code.

      Moral of the story: Use properly licensed software, chuckletrousers.

      (Source: Client of mine. $200million dollar a year engineering group. When I found out what was going on, I advised the Board of the above. They fired the CTO and paid Siemens ... NOT a fine, mind, but the same exact rate they would have paid if they had purchased the code through the proper channels. Siemens was actually quite reasonable about it, and threw in an upgrade to the current code and a year of free tech support, which surprised the hell out of me.)

      1. big_D Silver badge

        Re: People should be asking Siemens......

        With their prices, they can afford to throw in the upgrade. ;-)

        But, yes, a good reaction.

      2. Anonymous Coward
        Anonymous Coward

        Re: People should be asking Siemens......

        Then consider this situation, which happened a couple of years ago. A mechanical design student got a summer job, he used NX as part of his new job. Wanting to learn more quickly about the functionality of the S/W he did a stupid thing, he downloaded and installed a cracked version of the S/W on his personal PC at home.

        Jump forward a little, the company at which he was doing his summer job, recieves a demand from Siemens regarding the unlicensed software, they were demanding £250,000. A demand for payment because an individual had downloaded and installed it on their own PC at home, without the knowledge of the place he was working.

        How did Siemens know where to send the demand when he was using it on a non work PC and didn't have a work email in Outlook on his PC? The company which recieved the demand, didn't role over, they contacted a specialist who from what I understand, analyzed all the telemetry going into and out of the binary blob. The only link on the young guy's PC to the place he was working was email sent from his browser, not Outlook. Siemens was collecting all this information and more, including examples of designs he was working on as he was learning about the software. They were deep inside his PC.

        When Siemens went to visit the company to have a discussion about payment of the unlicenced software, first it was made very clear to Siemens they didn't have a legal leg to stand on, and when the full report of all the telemetry being pulled was presented, the Siemens guy's face went grey.

        After that, Siemens sent a letter to say the licence fee was being waived in this circumstance. The company which holds the telemetry report still has it but because it is a major user of NX software and no alternative which is good enough is available, decided not to go public.

        What was made very clear from the telemetry analysis is that Siemens, if they wish, can see exactly what their software is being used for, including all the engineering designs being worked on.

        1. TeeCee Gold badge
          Facepalm

          Re: People should be asking Siemens......

          Or, more likely, the moronic spanner in question either "borrowed" the config from work and didn't sanitise it (earning a medal for stupid) or set his bent copy up as if it were a work copy, typing in all the details (oak leaf and cluster on said medal).

          I'd bet that the company has a site license, rather than paying per seat, the Siemens license server spots it running configured for Company A in two geographically disparate sites and fines Company A.

          I hope they fired the dickhead.

        2. Aqua Marina

          Re: People should be asking Siemens......

          GDPR!

          Siemens is a european company so GDPR applies. Time for a friendly reporting of this activity.

          1. Test Man

            Re: People should be asking Siemens......

            Wrong. ANY company in the world who handles PII data on European citizens is subjected to GDPR.

            In other words, your company could be from Timbuktu, but if you hold an address for Joe Bloggs in the UK, or Jose Blogaça from Spain, GDPR applies or GTFO of the EU market.

        3. jake Silver badge

          Re: People should be asking Siemens......

          "How did Siemens know where to send the demand"

          Simple. They didn't. Your story, the way you understand it anyway, is obviously missing some very important bits and pieces. And embellishing others that perhaps never existed. A true "heard it from a friend of a friend" story, featuring the old child's game of telephone ("Chinese whispers" to you Brits).

          "They were deep inside his PC."

          The warez doodz certainly were. Do the math(s).

          And what the fuck would Outlook have to do with it?

          1. Prst. V.Jeltz Silver badge

            Re: People should be asking Siemens......

            A true "heard it from a friend of a friend" story,

            exactly. The guy took that shit to work and went "hey look what i can do!" or something

            1. jake Silver badge

              Re: People should be asking Siemens......

              Might even have plugged his personal laptop into the corporate network. Now ask me my why I define "BYOD" as "Break Your Own Defences" ...

              1. Anonymous Coward
                Anonymous Coward

                Re: People should be asking Siemens......

                Nope. BYOD at that company is strictly forbidden. No personal laptops or phones are allowed anywhere near the corporate network.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: People should be asking Siemens......

                  > Nope. BYOD at that company is strictly forbidden. No personal laptops or phones are allowed anywhere near the corporate network.

                  It's also fairly feasible the guy was using a VPN to connect to his work on occasion, which would allow "auditing" code running on the home PC to collect a bunch of info from the work network and pass it along.

        4. Anonymous Coward
          Anonymous Coward

          Re: People should be asking Siemens......

          "What was made very clear from the telemetry analysis is that Siemens, if they wish, can see exactly what their software is being used for, including all the engineering designs being worked on."

          Some engineering firms have their CAD and/or Finite Element Analysis machines on air gapped networks to minimise the risk of undesirables accessing their data. (I have no idea why this isn't standard practice...)

          It's been quite a few years since I last used NX because we currently use some competing software, but I'd be amazed if there wasn't still a way to run it on a computer without an internet connection, because some of their customers would then *not* be able to use NX.

          1. jake Silver badge

            Re: People should be asking Siemens......

            "(I have no idea why this isn't standard practice...)"

            It is.

          2. eionmac

            Re: People should be asking Siemens......

            Any MOD work must be done on computers 'not attached' (in any way) to the internets.

    2. Anonymous Coward
      Anonymous Coward

      Re: People should be asking Siemens......

      So let me summarize: you're complaining about the quality of the product you stole?

  2. John H Woods

    Spreadsheet misuse.

    I've seen some bloody awful spreadsheets, not surprising people can hide stuff in them (usually bugs in my experience). I remember someone complaining to me that they couldn't get a 5000 character formula into a cell. SMH

    1. ArrZarr Silver badge

      Re: Spreadsheet misuse.

      You can get a 5000 character formula into a cell. Excel only starts throwing a wobbly when you go above 8192 characters.

      You can often run into that problem while debugging array formulae as each section of an array formula can easily handle tens of thousands of rows so while stepping through with F9, you go over the limit even though you have no intention of actually writing a formula more than 100 characters or so.

      1. JimC

        Re: Excel only starts throwing a wobbly when you go above 8192 characters.

        I imagine the limit was smaller in older versions.

    2. Anonymous Coward
      Anonymous Coward

      Re: Spreadsheet misuse.

      Me: "I will do this data analysis application using a spreadsheet when you tell me how it can be audited."

  3. Anonymous Coward
    Facepalm

    $42,000 to read a code listing?

    Siemens .. put a team of people on it, including coders .. figure out if the dodgy code had caused mistakes in the past. It spent $42,000 on the issue

    That would take me about two hours and if I wrote the logic bomb then you wouldn't even find it. A password protected Excel Spreadsheet, this Tinley is obviously not the brightest LED in the drawer.

    1. jake Silver badge

      Re: $42,000 to read a code listing?

      Sight unseen, you make the claim that it would take you "about two hours" to find it, and then in the same paragraph you make the claim that if you, Walter Bishop, had written it they couldn't find it?

      Would you please make up your mind?

    2. big_D Silver badge

      Re: $42,000 to read a code listing?

      Have you seen the spreadsheet?

      Do you know which of the millions of cells the "logic bomb" was coded into?

      You might find it in a few minutes or it might take weeks, depending on how much redirecting he put into the formulas.

      1. Prst. V.Jeltz Silver badge

        Re: $42,000 to read a code listing?

        its not a question of clicking on each cell with a mouse to see if anythings in it.

        you follow what the code does , and i guess you could write a routine to scan for other code / formulas in the far way cells at zzzzzz999999

        p.s. lolz to Walter saying its both easy and impossible at the same time

        1. big_D Silver badge

          Re: $42,000 to read a code listing?

          But that's the point, if I was going to do something like that, I certainly wouldn't put it in code. I'd put it in a cascaded cell reference somewhere, with a value that at some point goes out of bounds and causes parts of the model to no longer work - but I wouldn't make it display an Excel error either.

        2. ArrZarr Silver badge
          Coat

          Re: $42,000 to read a code listing?

          I think you mean XFD1048576.

          1. Prst. V.Jeltz Silver badge
            Coat

            Re: $42,000 to read a code listing?

            nah I meant ZZ9pluralZAlpha :p

    3. chas49

      Re: $42,000 to read a code listing?

      I suspect the $42k also covered tracking back to find out what they paid out each time the logic bomb exploded, and also identifying other costs incurred. You could definitely do that in 2 hours?

      1. Rich 11 Silver badge

        Re: $42,000 to read a code listing?

        and put a team of people on it, including coders and lawyers

        I think I can guess where most of that $42k went.

        1. Gordon 10 Silver badge

          Re: $42,000 to read a code listing?

          $42k sounds quite reasonable in the circumstances - if Uncle Sam had been involved in calculating the costs it would have been 1 Meeeelion dollars or thereabouts.

          Big 4 accountants and techies

          Gold Circle lawyers

          It would be easy to hit 6 figures.

          1. Benson's Cycle

            Re: $42,000 to read a code listing?

            Over here you can hit 6 figures if someone walks into you while staring at their phone and then sues.

            There's a reason English commercial lawyers live in 7 digit houses: 7 digit cases.

            1. Anonymous Coward
              Windows

              Re: $42,000 to read a code listing?

              Could no-one at Siemans crack a spreadsheet password? If you know what the program is supposed to do, especially if you have access to it for months then anything that is designed to crash would stand out like a sore thumb, especially as it would be written in VB. I would have stored the bomb in XORed uuencoded data stored as a BMP object.

              I'm getting all triggered here over all the down votes :(

              1. LucreLout Silver badge

                Re: $42,000 to read a code listing?

                Could no-one at Siemans crack a spreadsheet password?

                Quite possibly, and I'm just guessing here, their corporate security guys don't allow them to download, install, and run hacking software on the corporate network. Just possibly, they don't allow the client order spreadsheet to leave the network. Bit of an obvious issue trying to reconcile those things, no?

                I would have stored the bomb in XORed uuencoded data stored as a BMP object.

                You're my hero. Now, what if they didn't have any BMP objects in the rest of the workbook - kinda stands out again doesn't it?

                Any sufficiently bad code can take days or weeks to untangle. It's not just finding the first bomb, its verifying that you found all the bombs.

          2. Andromeda451

            Re: $42,000 to read a code listing?

            I I believe you're thinking too small, easy 7 figures...

  4. FozzyBear Silver badge
    Mushroom

    So.......

    Good ol' Excel strikes again.

    Look at any organisation today in the Beancounter Department. Excel is king.

    Macros, VBA Code, special plugins, References to other spreadsheets , url's and god knows what else. All done in the hopes of plugging the gaps in their own processes and procedures, or complete lack of them.

    Pry open the hood on any spreadsheet that was "developed" a few years ago, I'll guarantee after 2 weeks of hair pulling, teeth gnashing, tourette's inducing investigation, You'll find formulas, code, references or any other "Smarts" they (the Legume Logistics Department) is just plain wrong.

    Excel is never the answer. In fact nuke the bloody thing from orbit, just to make sure.

    1. Anonymous Coward
      Anonymous Coward

      Re: So.......

      You do realize that logic bombs can be put in any program, not just excel spreadsheets?

      1. MiguelC Silver badge

        Re: So.......

        As an example of the above

      2. Prst. V.Jeltz Silver badge

        Re: So.......

        he's not saying the logic bomb problem occured because excel was involved,

        He's saying , as an aside, wherever excel is involved its a stain on the system - either a decent system that some spreadsheet obsessed muggle has thought he'd introduce excel to , or the spreadsheet is a patch to fix parts of a shit system , or worst case the system is built on excel.

        I currently run a system that has web dashboards , graphs , qureires and whatever you want to work with the info and data it deals with .

        And yet people be all like "How do i extract this dataset into excel so i can do xxx yyy"

        and I'm all:

        "YOU DONT you F****** idiot! just tell me what you want , and i'll show you why the system already does that - put your shitty spreadsheet away!

        That said there is a place for spreadsheets - but its sure as hell not getting a contractor in to do a job , without even telling I.T - who probably wouldve shown you why you didnt even need that step in the process , and then letting contractor fuck off with a password and a full wallet , only to ring I.T support 2 years later and ask them to fix the passworded mess the long gone contractor made.

        /rant

        1. ArrZarr Silver badge

          Re: So.......

          If you have Excel, everything looks like a spreadsheet.

          I've already replied to one of your comments on this topic with a snarky post but from a user perspective, a lot of the value of getting a clue in Excel is how amazingly versatile it is, so that you don't need to learn how to use a dashboard set up by Vogon A and another tool from Vogon B, you just put the data in Excel and use one tool.

          Not saying that everything should be in Excel. It most definitely shouldn't, and as a reporting tool (guessing at that from how you've described it), your system is probably better. For going in and digging around the data, Excel is quite possibly superior.

          1. Prst. V.Jeltz Silver badge

            Re: So.......

            yeah it has its uses , as i said.

            In my case i'd go to the sql backend first for mnore indepth manipultion of the data ...

            then to excel (with a good dose of vba in it) when my sql skills ran out.

            In fact the other day one department told me they were still running a 15 year old accessdb , in parallel with my system because of (reasons) and they had to manually compare the 2 regularly.

            after getting up off the floor in shock re the access.exe,

            i opened a spreadsheet imported various bits of data from both systems and automated the comparisons they've been doing manually.

            I guess thats one of the "patch" situations i described in other post :)

            1. ArrZarr Silver badge
              Unhappy

              Re: So.......

              Except from your previous post, you give off the impression that any data within your system shall bloody well stay there, even if Excel is a better way to manipulate the data.

      3. Gordon 10 Silver badge
        Mushroom

        Suck it up boys

        I have a theory - hopefully never proven - that if someone ever comes up with a Zero Day that stops Excel from working irrevocably - then by the end of that week civilisation will have fallen and we'll be eating each other....

        Every corporate I have worked in has at least 1 business critical process running on Excel.

  5. DougS Silver badge

    What the hell kind of contract did he have?

    If he was an employee, his work product belongs to his employer. If he was a contractor, the same is true for stuff he developed while they were paying. It is only if they hired him and he used something he'd previously developed on his own time that he could claim ownership of it. But he better have some record of having made that clear when it was installed and them acknowledging it. You can't just install something you put together to over the weekend off the clock and logic bomb it to keep them paying you.

    1. JetSetJim Silver badge

      Re: What the hell kind of contract did he have?

      Perhaps he'd previously developed the logic bomb code as a plugin for all his work in Excel and he merely stated that it was essential for all his work on this contract.

      Might want to see if a previous employer had a similar issue...

  6. BossHobo

    C.F. Google: Dilbert spaghetti code holy grail

  7. GrapeBunch Silver badge

    I used (DOS) QUBECALC just last week.

    Maybe he should claim that his coding contains Planned Obsolescence, thus turning a potential felony into a classic business practice. I am not trying to excuse him, nor am I trying to excuse purveyors of Planned Obsolescence in the field of computer software.

    It would be funny if the trick could be defeated by turning back the system clock.

    1. chuBb.

      Re: I used (DOS) QUBECALC just last week.

      Except that all the date functions based around current datetime would be wrong and so create an invalid order....

    2. Warm Braw Silver badge

      Re: I used (DOS) QUBECALC just last week.

      You have to put actual effort into software to build in planned obsolescence. Just do a half-arsed job and the unplanned obsolescence is usually good enough.

      1. Anonymous Coward
        Anonymous Coward

        half arsed job

        thats what i did, strangley this hasnt lead to a stream of well paid visits back to previous employers to top up the code , and they are still using it , im informed ...

  8. Prst. V.Jeltz Silver badge

    plea deal required him to pay back Siemens some of the money it had spent tackling and fixing recurring glitches in spreadsheets that managed orders for electrical equipment – spreadsheets he built for the global giant in the early 2000s.

    If this "Global Giant" was letting this one dodgy guy make a spreadsheet to do all its ordering, he'd have been better pulling a "Superman 3" / "Office Space"

    especially as this has taken 20 years to come to light.

    1. iron Silver badge

      Yeah the real take home from this story is don't use Siemens for anything because they think Excel is a stock control / ordering system.

      1. Prst. V.Jeltz Silver badge

        come now , that was many moons ago , I bet they've got a nice shiny access.exe system now!

        in the shared drive of the finance team, under a filepath with 50 directories in it.

      2. I ain't Spartacus Gold badge
        Facepalm

        Excel is a word processor isn't it?

        Oh a desk top publishing program, database, control software?

        Just askin' for a friend.

        mumble, mumble, mumble...

      3. Moosh

        When I worked at Tesco Head Office (before the billion pound overstated forecast) the stock ordering/delivery process for every single store in the country was run through an excel macro, and there were no real controls for sending them out etc.

        I was given complete control of the excel document when the usual bloke was off on holiday and i honestly could have just done fucking anything, and considering I was a fresh-out-of-university (where I studied History, no less) temp worker i'm honestly surprised I didn't completely destroy the company while running it.

  9. EmilPer.

    not sure we're getting the whole story

    Why would Siemens use password protected Excel files written by a third party and how come that third party kept the copyright ? What were the terms under which they were using the files ? ... this story is very strange

    that guy must be a future seeing genius if he wrote Excel files which survived from the early 2000s until now with only his logic bombs preventing them to work

    were they right after an Office upgrade when the files stopped working ?

    my guess is the guy had a check to see if the file was not copied, and the rest of the failures were due to upgrades of Excel, and they sued him to get the IP and be rid of him

    most DRM software works like code bombs anyway, I guess when it comes to going to jail it matters more if you're Johnny Public or BigCorp Inc.

  10. Anonymous Coward
    Anonymous Coward

    I often come across bits of code that have "no functional value, other than to randomly crash the program,"

    Sometimes I've even written them myself on a Friday afternoon.

  11. nerdbert

    [...]evidence that Tinley added code to the complex spreadsheets that "had no functional value, other than to randomly crash the program,"

    Sounds like 99.99% of all code submitted by first time contributors to a FOSS project.

    Only somewhat more seriously, if this is a felony then nearly any "legacy" software system could populate a prison.

  12. Anonymous South African Coward Silver badge
    Coat

    Another wannabe BOFH.

    Simon'll be hiding somewhere with a fully-charged cattleprod.

    Outta here because of the angry BOFH

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019