back to article Sysadmin 'trashed old bosses' Oracle database with ticking logic bomb'

A systems administrator is being sued by his ex-employer, which has accused the IT bod of planting a ticking time-bomb on company's servers to wipe crucial data. Nimesh Patel, of Shrewsbury, Massachusetts, is alleged to have broken the Computer Fraud and Abuse Act, trespassed, and committed conversion – that's legal jargon for …

  1. frank ly

    Conversion?

    If I use your hammer to break your window, do I get charged with two crimes?

    1. Anonymous Coward
      Anonymous Coward

      Re: Conversion?

      Is the hammer stolen?

      1. frank ly

        Re: Conversion?

        Not a stolen hammer. I pick your hammer up, break your window with it and then put the hammer down where I found it.

        Note: I've just been reading about 'conversion' in Wikipedia. It has a long and complicated history in law. The hammer scenario is probably not conversion but only a lawyer could say for sure.

        1. Stratman

          Re: Conversion?

          Only a judge and jury could say for sure. Lawyers could argue over it for years at somebody else's expanse.

        2. TheVogon

          Re: Conversion?

          "Not a stolen hammer. I pick your hammer up,"

          When you pick it up, it becomes a stolen hammer...

          1. Stevie

            Re: Picking up a hammer

            If you take the hammer home first, then come back later then yes, you are guilty of theft of the hammer.

          2. Hoe

            Re: Conversion?

            Is that true? In a shop you can pocket items quite legally, it's only stealing if you leave the premises without paying, so given that the hammer didn't leave the grounds, is it theft?!

            1. VanguardG

              Re: Conversion?

              I think many shops would take a dim view of someone pocketing goods for any reason, even if its legal to (temporarily) do so. Could it be called "attempted theft"? Depends on the actual ordinance or statute being applied. At the least, I would expect that someone doing so might find store management/security would be a bit...curious about that behavior.

              1. not.known@this.address

                Re: Conversion?

                Some UK supermarkets now actively encourage customers to "pick your own" and bag it yourself, going so far as to supply handheld barcode scanners- I don't know quite how filling bags is any worse than putting a couple of bits in your pocket until you get to the checkout but apparently it is; they keep most people honest by having random checks where one of the few remaining staff has to rescan a number of items at random (that is, they are supposed to ferret around inside your bags rather than just grab stuff off the top - most people are smart enough to literally bury the evidence, but not all!).

                Given my druthers I won't use those effing things because I believe that if I'm going to do the work of their staff then they should pay me - every cashier replaced with a self-service checkout is (a) more profit lining someone else's pockets and (b) another statistic on the Unemployment register - and for some of them, it's the only human conflict they get outside their immediate family or doorstepping god-botherers...

          3. Martin
            Headmaster

            Re: Conversion?

            When you pick it up, it becomes a stolen hammer...

            In the UK at least, no it isn't. It's only theft if there is a permanent intent to deprive. If it's only used to break the window, then put back, it's not been stolen.

            Off topic - but that is why in this country, you are not charged with theft if you steal a car. There is a separate charge of taking without consent (twoc) for cars - because in most cases, there isn't a permanent intent to deprive.

          4. jgarbo

            Re: Conversion?

            Picked up and put down in the same place? No intent to steal only to (unlawfully?) use.

          5. Lotaresco

            Re: Conversion?

            @TheVogon "When you pick it up, it becomes a stolen hammer..."

            No, which is why shoplifters don't get arrested in the store. The Theft Act 1968 states that a person is guilty of theft if they dishonestly appropriate property belonging to another with the intention to permanently deprive the other of it. It's that intent to permanently deprive that is important. This is also why there is an offence relating to motor vehicles of "Taking Without the Owner's Consent" (TWOC) because "borrowing" a car and intending to return it later is not theft.

            There are some interesting wrinkles such as if someone takes money and then repays the exact amount they took they are still guilty of theft unless the money they put back is the exact same notes and coins as the ones they took.

        3. VanguardG

          Re: Conversion?

          It seems to fit the definition, but law enforcement seems to apply "conversion" almost exclusively within the realm of "white collar" crimes, like wire fraud, and cybercrimes of various stripes. Perhaps they would be content with just trespassing, vandalism, forcible entry and attempted theft - provided you didn't actually *go into* the house through the window, but just broke it. Even if you put the hammer back where you found it, police would still try to pin attempted theft on to maybe get a felony into the mix.

        4. Anonymous Coward
          Anonymous Coward

          Re: Conversion?

          Mind Twist:

          let's say someone throw a guy through a house and broke a window. The guy ended up grabbing then dropping a hammer before exiting the other end of the house. The hammer is later found stuck on the side of the partition wall and far from the initial location/ position.

          Is the guy stealing the hammer?

    2. kain preacher

      Re: Conversion?

      Conversion is when I give you property on loan and you never give it back.

    3. jgarbo
      Happy

      Re: Conversion?

      Not if you asked me nicely for the hammer...

  2. Anonymous Coward
    Anonymous Coward

    Lots of revenge hacks recently...

    Should we be concerned that IT folk might be being treated badly?

    I know that it would take extreme circumstances for me to do anything like this.

    1. Andraž 'ruskie' Levstik

      Re: Lots of revenge hacks recently...

      > I know that it would take extreme circumstances for me to do anything like this.

      Never. Simple as that. My duty is to keep things going, if the employer treats me poorly there are legal means to go after them - without making myself the target.

      1. VanguardG

        Re: Lots of revenge hacks recently...

        Nothing any employer did to me would be worth destroying my career over it, I would be harmed way more than the ex-employer. If they're outside the law, you can sue them and try to "get even" that way, through the courts. If they're just a badly-run company or something, just quit - there're other jobs. If you want to be emphatic, quit without notice...just cover yourself by creating a file with all the passwords and leave a printout somewhere visible - don't give them a chance to claim you stole the passwords. Don't be petty and make them ask, either. You want to be able to show future employers you were professional, but just got pushed to the point you couldn't stand another day, let alone two weeks...if you play childish games, you only hurt yourself.

        Back to the story...the logic bomb went off, blew away some bits...but are there no backups of the data? Seems weird they'd have such a big loss unless they're extremely sloppy - or are just trying to put the screws to the guy while they have the chance.

        1. Anonymous Coward
          Anonymous Coward

          Re: Lots of revenge hacks recently...

          $100K is NOT a big loss at all! If you add up the time taken by everyone involved along the way from initially noticing something is wrong, troubleshooting until the issue is found (for which they hired an outside firm) and getting everything up and running again. Don't forget to add the time wasted by accountants who couldn't do year end closing - and maybe had overtime once it was fixed and they were able to work, potential state/federal fines if certain deadlines for reporting are missed, plus all the time taken by various managers for constant status meetings.

          $100K looks like a massive lowball estimate of what they could have calculated.

          Speaking of constant status meetings, I was on one for about four hours yesterday that had at its peak 50 people on the Skype call. That's easily running over $1000/minute!

          1. VanguardG

            Re: Lots of revenge hacks recently...

            Perhaps...but this was a tech firm - they should have been hyper-vigilant about password security, and been auditing any change or use of any account with enhanced privileges - they incurred much of the damage because they were clearly sloppy and failed to catch the first guy's credentials had been re-enabled (the way I read the article, Patel was the second to leave, with his subordinate having gone first, and he used the other person's credentials to log in, so he must've re-enabled them just for the purpose, and it wasnt' caught)

            1. 2Nick3

              Re: Lots of revenge hacks recently...

              Or he was they guy who should have disabled the subordinate's ID and noticed when it was re-enabled. He was THE sysadmin at that point, and was therefore expected by his employer to act in a professional manner.

              At some point you have to trust someone. When that person turns out to be untrustworthy you are in a really bad place.

        2. Anonymous Coward
          Anonymous Coward

          Re: Lots of revenge hacks recently...

          You want to be able to show future employers you were professional, but just got pushed to the point you couldn't stand another day, let alone two weeks...

          I figure, as work at the company is "at will", it's only fair to give the company exactly as much notice as they *ever* gibe contractors. Usually one hour or less. Didn't have time to pass on information of what I was working on, or data on my projects? Oh well... Latest time I got laid off from a contract job, I was already running a DBAN DOD wipe on the (LUKS-encrypted) HDD 10 minutes later. Tough luck if they needed anything off of it, I was just following appropriate security procedures.

          1. Hollerithevo

            Re: Lots of revenge hacks recently...

            There's a pride in being an honourable person. It's par tof being a professional: you don't act like a shit on the job 9or in your personal life).

  3. James 51

    Anyone more familar with the story any idea why he did it?

    1. Anonymous Coward
      Anonymous Coward

      Yes, it was an prank for the weekend religious holiday where the Zombie Jesus rises up and starts eating the brains of all the apostles in a last brain supper. It wasn't a logic bomb, my good man. It was an Easter Egg.

      Thank you, and enjoy your Peeps! I've been a great audience! Good night!

  4. paulc
    WTF?

    WTF? Backups?

    why didn't they simply restore from a backup?

    1. Aitor 1

      Re: WTF? Backups?

      Well, they claim he was the only one with pl/sql skills.. yet they are running plenty of Oracle databases.

      I think that speaks volumes about the management...

      1. kain preacher

        Re: WTF? Backups?

        Yes there was only two people in the company that had the skills. One quit and you fired the other before replacements was secured.

    2. Korev Silver badge

      Re: WTF? Backups?

      It took them about a fortnight to work out something was wrong. I guess they'd have to restore up until the 31st of March and then eliminate his "improvements" from the 1st of April and then replay all the other legitimate transactions.

  5. Aitor 1

    Proof?

    As I see it, it does not make sense.

    He must be the culprit as "nobody else had the skills", say that he trespassed, yet provide no proof... looks sketchy.. IF he had a stolen laptop (good luck proving that) and that laptop was used to do the thing.. then maybe.

    Now, why should the judge believe that the laptop was stolen? does he still have it and can the company prove that it belongs to them? after all they signed on it..

    As for having a file with all the passwords, it makes absolute no sense, as that file can be transferred... and as for using the mac.. again, no sense, macs can be spoofed.

    1. AndyS

      Re: Proof?

      I guess that's what the court case is for. But bear with me for a while here.

      I have worked in SQL development, but I'd be damned if I could get a random laptop to connect to a random company's network. Let's assume this guy is similar to me - knows a company laptop can connect to the company network, but wouldn't know where to start to get another laptop to. The file? Sure, it could be transferred, don't know why they would bother mentioning it, unless by "file" they actually mean it had an auto-log in system of some sort, or saved passwords, or something similar, more than just a .txt.

      Now let's assume the company network keeps logs of what computers are connected (which seems reasonable), by what means (eg which wifi access point), and who those laptops were issued to. Let's also assume they have some CCTV, hence the accusation of trespassing. This all seems pretty likely.

      We already know he used someone else's account, presumably for a test, before he left.

      From those bits of information, it is pretty trivial to build a fairly damning case, and of course there may well be plenty of important bits of information missing.

      Sure, any one of those could be explained away (mac spoofing, can't prove he has the laptop, maybe he stayed out of CCTV view, maybe he had a legit reason to use the other person's account leading up to his departure...) but together, it seems to paint a pretty obvious picture.

      1. Stoneshop
        Facepalm

        Re: Proof?

        Let's assume this guy is similar to me - knows a company laptop can connect to the company network, but wouldn't know where to start to get another laptop to.

        Really? Wouldn't you just start by dropping "buy laptop $BRAND $MODEL" into your favourite search engine? And there'll be several eBay links on the first results page.

        1. a_yank_lurker

          Re: Proof?

          @Stoneshop - It's not the brand/model of the laptop but the existence of a set of files on the laptop. One other idea is the hard drive could be copied onto other. But there are a couple of problems with this case. Laptops have serial numbers and probably company inventory numbers assigned. Someone should be checking the these numbers immediately when the equipment is turned in. Why wasn't his account cancelled on his last day? The technical skills required are fairly common even if I personally suck at pl/sql and they are not that difficult to learn.

          1. Stoneshop
            Holmes

            Re: Proof?

            One other idea is the hard drive could be copied onto other. But there are a couple of problems with this case. Laptops have serial numbers and probably company inventory numbers assigned.

            That's why you get another one that matches one of the company lappies, image that one's disk on to the one you just got (and the other one's disk image you save somewhere), then hand back both company machines unspindled, unfolded and unmutilated.

        2. Doctor Syntax Silver badge

          Re: Proof?

          "And there'll be several eBay links on the first results page."

          There are eBay links for getting a laptop to connect to a specific company's network?

      2. Uffish

        Re: Proof?

        @AndyS "We already know he used someone else's account, presumably for a test, before he left."

        Well he was a sysadmin - but the the article only said that the biz alleges he used someone else's account to log in.

    2. Lt.Kije

      Re: Proof?

      Exactly. The article describes circumstantial evidence only, no hard proof at all.

      They might him as a terrorists though because, you know, he got one them thar Asian names.

    3. kain preacher

      Re: Proof?

      I think that's why the went fora civil case when most incidents like this are prosecuted as criminal.

  6. Anonymous Coward
    Anonymous Coward

    Theres a lesson here..

    I finished at a company yesterday (start a new role in 2 weeks), I was debating about keeping some of the bits (hardware and software) as it was surplus to the company requirements and would never be used. But I bundled everything in a box and went through it piece by piece with the person who was taking over, made him send me an email confirming receipt of all hardware and software I've every used!

    I thought it was OTT, but Dam glad I did now!

    1. Anonymous Coward
      Anonymous Coward

      Re: Theres a lesson here..

      I did the same thing when I left my last employer. In addition I handed back my company phone and got them to chop up the SIM. I also got the IT admin people to disable my account on the day I left so that I could 'test' that I could no longer gain access to the company's IT systems before I walked out the door (with a spring in my step). I got them to document all of this.

      I went through this rigmarole because I had witnessed a completely innocent ex-employee getting accused of fcuking with the IT systems after he had left the company to cover up a horrendous cock-up that occurred in the department he had previously worked in. Just before this was go to court the company backed down and admitted that he was completely innocent and blameless.

      1. Anonymous Coward
        Anonymous Coward

        Re: Theres a lesson here..

        Checklist on leaving my last company included "office supplies" - so into the box being sent to my boss went the pencil jar and all contents, and the black Swingline stapler.

        If it had been red, well, but it was black.

    2. Ian Michael Gumby
      Boffin

      Re: Theres a lesson here..

      Its never OTT.

      You have to always be professional regardless of how mucked up the employer is.

      What this guy did was criminal and while they are taking a civil course of action he should still be charged.

      What people don't understand is the meaning of conversion. Its a bit complicated. Imagine if you illegally gain access to a computer system and then use it to commit a crime. While you don't take actual possession of the computer (locked away in a secure room) you use it to commit a criminal act thus its theft by conversion.

  7. Jay 2

    I don't see anything in the article to say when he gave the second (wiped) laptop back. I would assume it would be after the alleged hack.

    More worrying though is the inference that he used the company WiFi to gain access. There really shouldn't be accessible WiFi that can allow access to production kit. Any remote access should be via some sort of VPN via 2FA. The 2FA alone should have been enough to stop the alleged login as someone else.

    1. TheVogon

      "There really shouldn't be accessible WiFi that can allow access to production kit. "

      It would be pretty useless as a corporate wifi solution if it didn't. In most corporate WiFi solutions, trusted devices with a recognised certificate can connect to the network automatically... Hence why he needed to keep the laptop to get access.

      1. Anonymous Coward
        Anonymous Coward

        That's right, but consider they should have also revoked all the access for the remote devices. They had the power (maybe not the knowledge, but who's fault is that?) to do so, but did nothing. Unless you start out outsourcing all your IT to trusted shops, you must maintain some sort of knowledge base on whatever it is that is running in an enterprise. Every single one does things differently, yet they use mostly all the same tools to do so. Shitcanning your top guy, then hoping the deadwood can figure out things from documentation that is probably older than the universe, is not a recipe for a successful IT department. The problem being the will of the company to build a mighty IT mountain, then throw out all the expensive people who built it, hoping for a big cash money payday when their high tech thing just keeps working without anybody to manage it. It's small time thinking. They got what they paid for. Who's to say this isn't an attempt to cover up a screw up by the idiots who tried to manage the systems after that guy left? And why did they need outside help to figure out what was going on? I smell rats on both sides of this equation.

        1. TheVogon

          "That's right, but consider they should have also revoked all the access for the remote devices"

          Ideally the device substitution would have been spotted, but I think that one would have got past most corporate checks I have seen. What this relies on is that the user also needs to authenticate.

          The main failing here is that he was able to know another users admin credentials - and they were not changed

          WiFi is not always the only way in. I have been able to plug an Ethernet cable into the back of an IP phone in a (bank's !!) reception area and meeting rooms before and get access to the corporate LAN...

        2. Ben Tasker

          > And why did they need outside help to figure out what was going on? I smell rats on both sides of this equation.

          I can see two possibilities (which aren't mutually exclusive) here

          1) They no longer had the skills in-house to investigate and resolve the issues they'd encountered.

          2) Because it related to their year-end filings, they wanted an independent 3rd party to investigate so that they'd have an "independent" outfit to verify the issue if the taxman, share-holders or anyone else came knocking

          Neither sounds too unlikely or unreasonable to me.

  8. Version 1.0 Silver badge

    BOFH?

    If he did it then he's stupid - and if they had a network that allowed this to happen then they are even more stupid. It sounds like a bunch of amateurs playing at being system administrators - maybe someone at El Reg can persuade Simon to show us all how to do this properly.

    The issue for the BOFH of course is that the Allegro MicroSystems building is only a two story building so the drop from the upper floor is not far enough to do any real damage.

    1. Chris King

      Re: BOFH?

      "The issue for the BOFH of course is that the Allegro MicroSystems building is only a two story building so the drop from the upper floor is not far enough to do any real damage".

      Unless vehicles pass by on the ground floor. When do the bins go out ?

  9. Stoneshop
    Facepalm

    Stupid

    Patel gave back one of the original laptops, and another unissued laptop, after completely wiping the hard drive.

    Get another laptop, same model and specs as one of the ones you're about to hand back, then image that disk onto the new one. Hand back both company lappies.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid

      "Patel gave back one of the original laptops, and another unissued laptop, after completely wiping the hard drive."

      If I left work now I'd be in a similar position. According to asset mismanagement I don't have the laptop I have; but I do have both the laptop I had before and the laptop I had before that!

    2. John Brown (no body) Silver badge

      Re: Stupid

      "Get another laptop, same model and specs as one of the ones you're about to hand back, then image that disk onto the new one. Hand back both company lappies."

      Depends. If the HDD is running fully encrypted (which it should be) then imaging or swapping HDDs might just end up with a disk that won't boot without the keys. Back when BitLocker was still a thing, swapping an encrypted HDD into an identical box didn't work so I assume the current equivalents will do the same.

  10. Dave 32
    Pint

    Serial Numbers

    Most companies track items via serial numbers (I know, because it's the time of the year when I have to do the annual equipment audit, which means I have to go around checking all of my equipment, and verifying that the serial numbers match what's in the database. Can you say "Mostly a waste of time"?). So, anyone who even had half a clue (or even a quarter of a clue) should have known that turning in a laptop with a different serial number would, eventually, ring all sorts of alarm bells. :-(

    Dave

    P.S. Is it Beer-o-clock yet?

    1. John Brown (no body) Silver badge

      Re: Serial Numbers

      "Most companies track items via serial numbers "

      Most of the ones I deal with don't. They use their asset numbering system. Except when they call us in for warranty repairs when they give us the make/model/serial. Then we turn up to fix it and the person who logged the call is out and no one else knows where it is and its "can you give us the asset number?"

      Me: "No, you guys never log the asset number on a call, just the s/n"

      Them: "Oh, we can;t search on that, we need the asset number"

      Me: "Ok, give us a call when he comes back then, the bills in the post for the wasted time, bye"

      Sometimes, that last makes them realise they can find it after all, but it takes a little more effort than they wanted to expend. Not as much effort as my 50-100 mile round trip and my time though.

    2. TheVogon

      Re: Serial Numbers

      "So, anyone who even had half a clue (or even a quarter of a clue) should have known that turning in a laptop with a different serial number would, eventually, ring all sorts of alarm bells"

      In theory, yes, but in practice many items go missing, are broken, replaced, etc. It would be unlikely to be an unusual event that would "ring alarm bells" in most environments... In my last environment we had dozens of devices (across tens of thousands) report as missing from the asset database each month.

      Also with laptops, by their nature they might not appear on the network for a long time, so how do you know they are actually missing in any brief timeframe?

    3. HW de Haan

      Re: Serial Numbers

      So I just swap undersides and I'm good to go (If I bring it in in a non-booting state)?

  11. Anonymous Coward
    Anonymous Coward

    What????

    A file with all the user passwords? Why/how would anyone have that info?

    1. TheVogon

      Re: What????

      "A file with all the user passwords? Why/how would anyone have that info?"

      It's easy to export the hashes from an Oracle DB.

      Then use something like: https://hashcat.net/hashcat/

  12. Anonymous South African Coward Bronze badge

    And another career ruined.

    Why do people think that getting revenge by scrambling data/charlie foxtrotting servers/dropping the Bossly Unit in a remote-controlled wheelchair down a manhole is a good option?

    As others said it, I will also say it, stay away from such BOFH antics, it will never end well for you.

    1. DNTP

      When the directors see news like this, every IT person working for them becomes suspect. Suddenly they are mandating key loggers, remote-wipe capability, cameras in every office, RFID location tracking, and pretty soon even the most Lawful Good employees start to feel they have legitimate complaints against their company.

    2. Myvekk

      The thing is, we only hear about the ones who get caught. And they are the ones that make stupid mistakes.

  13. jelabarre59

    "...trashed the Oracle database with a logic bomb..."

    What, did he make a database query on it?

    1. kain preacher

      No he tried to used the database to determine licensing fees .

  14. rfink13

    I remember being hauled in to HR at 2:30 PM on a Friday. I was laid off right then and there. My department's VP was called in to be a witness in case I reacted in a "negative" manner.

    After telling me why I was being laid off they asked if I had any questions. "Just one", I replied. "According to the Security manual if an admin leaves the company the password on his account must be changed immediately.".

    Since I know HR was anal about policies and rules, she asked if that could be done. I told her I could log in on her computer with my account, request a password change and the VP could enter a new password with out me knowing what it is. That way the policy would have been satisfied.

    So logged in into her PC, requested a password change and , the VP changed my password. I was escorted to my cube, picked up my personal stuff, and walked out the door for the last time.

    I would have loved to have been there Monday morning when they discovered that 50+ script files, processes, backups, etc barfed a lung because they were hard coded to use my account/password..

  15. Potemkine Silver badge

    Putting at the stake

    I'm always surprised to read the full name of someone who wasn't condemned yet. What about presumption of innocence?

    Also, it seems we lack information about the motives: why would have this guy do this after so many years being employed by this company? What is the untold part of that story?

    1. Lotaresco

      Re: Putting at the stake

      "I'm always surprised to read the full name of someone who wasn't condemned yet."

      In this case Nimesh Patel is about as unique as John Smith so I'm not too surprised. I certainly hope it's not the same person I worked with some years ago because he was a very nice chap and unlikely to do anything so short-sighted.

  16. Anonymous Coward
    Anonymous Coward

    Sysadmin and Revenge

    There is nothing that prevent a Sysadmin from doing something rogue. Unless the Sysadmin isn't the Sysadmin.

    they could easiest use an alternative system for all their work, and when they are forced out they bring it with them. Also, there is nothing to stop them from scripting a timed phishing email to start spreading malware.

    In this case, the stupid ones got caught but the problem probably is much bigger. If the management or department head value their staffs, the extent of this event probably wouldn't have existed at all. It all comes down to earning trust and understand staff concerns. If they never had that feeling for revenge, they wouldn't be doing any revenge.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like