Developer Convicted For 'Kill Switch' Code Activated Upon His Termination (arstechnica.com) 53
A 55-year-old software developer faces up to 10 years in prison after being convicted for deploying malicious code that sabotaged his former employer's network, causing hundreds of thousands of dollars in losses.
Davis Lu was convicted by a jury for causing intentional damage to protected computers owned by power management company Eaton Corp., the US Department of Justice announced Friday. Lu, who worked at Eaton for 11 years, became disgruntled after a 2018 corporate "realignment" reduced his responsibilities.
He created malicious code that deleted coworker profile files, prevented logins, and caused system crashes. His most destructive creation was a "kill switch" named "IsDLEnabledinAD" that automatically activated upon his termination in 2019, disrupting Eaton's global operations. Lu admitted to creating some malicious code but plans to appeal the verdict.
Davis Lu was convicted by a jury for causing intentional damage to protected computers owned by power management company Eaton Corp., the US Department of Justice announced Friday. Lu, who worked at Eaton for 11 years, became disgruntled after a 2018 corporate "realignment" reduced his responsibilities.
He created malicious code that deleted coworker profile files, prevented logins, and caused system crashes. His most destructive creation was a "kill switch" named "IsDLEnabledinAD" that automatically activated upon his termination in 2019, disrupting Eaton's global operations. Lu admitted to creating some malicious code but plans to appeal the verdict.
I don't know what he expected. (Score:5, Insightful)
In any other profession this kind of farewell gift would have been seen as outright evil, but somehow in IT there are plenty of people sharing fantasies about how they would bring down their employers as if they own the place.
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Re: (Score:2)
The most common pattern I've seen is a company gets rid of the only person who knows how something works, a legitimate bug occurs, they assume they were hacked or the guy they got rid of sabotaged them.
It's like if a bridge develops a crack they decide that the civil engineer they laid off did the calculations wrong on purpose to make the company look bad.
Odds are something got missed between fabrication and final inspection but especially in the case when the employee had more knowledge than the manager th
Re: (Score:2)
Well, it shouldn't be hard to determine what "IsDLEnabledinAD" does or was intended to do.
Re: (Score:2)
https://youtu.be/OPeny2iS43I?t... [youtu.be]
Re: (Score:2)
Well, it shouldn't be hard to determine what "IsDLEnabledinAD" does or was intended to do.
Rookie mistake. Always name the malware after your boss or someone there you dislike ... :-)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Not even a good metaphor. It's more like setting fire to (or magically deleting) all the very specific, custom construction materials of some new building. Now, almost no one in the construction company can do any work until it's replaced. And I could see several ways to sympathize with a person willing to do that.
Re: (Score:2)
Depends.
My organization is an Eaton customer. We have a service provided by them. If one of the Eaton outages we've dealt with were caused by this dude, then the cracked bridge analogy is more accurate.
However, if all he did was fuck with the company, and not the people using the bridge- then ya, I guess you're right.
Re: (Score:3)
In any other profession this kind of farewell gift would have been seen as outright evil, but somehow in IT there are plenty of people sharing fantasies about how they would bring down their employers as if they own the place.
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
If your bridges looked like this https://xkcd.com/2347/ [xkcd.com] you'd be asking why more aren't blown up.
Re: (Score:1)
In any other profession this kind of farewell gift would have been seen as outright evil, but somehow in IT there are plenty of people sharing fantasies about how they would bring down their employers as if they own the place.
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Would it help if his employer was an insurance company?
/sarcasm
Re: I don't know what he expected. (Score:2)
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
That is one hell of strawman. Except, he did none of that. All he did was throw a fit and stop from things from happening. If he had done that and bought the presidency, he would be celebrated by republicans.
Belive his innocence (Score:4, Interesting)
The article says he and his supporters believe his innocence.
I wish it explained what his argument is. He admits to having written the code. So is he saying the code does not perform as he expected?
Is he claiming that because the code was created, released/deployed while he had the authority to do so it isnt a crime?
Re: (Score:2)
"The software was buggy, your Honor. My employer didn't allocate sufficient resources for proper QA."
Re:Belive his innocence (Score:5, Informative)
A subsequent investigation found that on the day he had to hand back his corporate laptop, he had deleted a chunk of encrypted data, and had attempted to wipe its Linux OS directories and two code projects. A review of his search history also showed requests for advice on escalating privileges, deleting data and folders, and hiding processes.
The only one saying his "supporters" belive his innocence is his attorney. Looking at all the evidence, it is quite clear he is guilty.
More details from Cyber Security News [cybersecuritynews.com]
Re:Belive his innocence (Score:4, Interesting)
Maybe more details will come out after the trial.
I can imagine (pure speculation here) a scenario in which he didn't write any malicious code, but did wind up needing to do a lot of manual steps, on a regular basis, to compensate for things like system crashes and quirks and known code bugs and only partially automated processes. If he has been there a long time, there may be several tools and services running in their environment with quirks and bugs that only he knows about, because only he regularly works around them. And none of this may even have been his fault, as it may have been the result of budgets and deadlines that were simply too short to do any of this well.
So, after his departure, when other people tried to use these systems without knowledge of the quirks and work-arounds, they started hitting the crashes and other problems.
Disliking this, the employer decides to frame him as malicious and blame him for all this. It might even help them save face in front of clients who are being harmed by all the sudden new system instability. And it would certainly suit their egos to blame the developers for the consequences of having given those same developers too little time to make the systems robust.
Of course, that is pure fiction. I have no idea if this is what is going on. Maybe he did write outright malicious code and is just trying to weasel out of consequences, planning to create doubt in the trial to at least get a reduced sentence.
We wont know until the facts come out. And even then, we might not ever really know.
Re: (Score:3)
Maybe more details will come out after the trial.
From the article you didn't read:
"The US Department of Justice announced Friday that Davis Lu was convicted by a jury . . ."
There's already been a trial. He was convicted.
I can imagine (pure speculation here) a scenario in which he didn't write any malicious code, but
admitted he did anyway? That's some mighty good dope you're smoking there, son.
Re: (Score:3)
Hah, no not dope. As you said, I didn't read the article. I barely even skimmed the summary. I just read DarkOx's comment and ran from there.
I thought that was standard operating procedure on Slashdot.
Re: (Score:3)
The article says he and his supporters believe his innocence.
That's actually for a another termination / kill-switch thing where the malware was named "IsDJTenabledinAD".
Re: (Score:1)
might not have been reviewed. The article makes it sound like maybe it was running on some utility/development server he had. Might not have been part of any production system, but simply sitting there waiting to do something nasty with a shared access secret or something.
but then at a company the size of Eaton a developer should not have access prod systems and if they are given temporary access, any secrets etc should get rotated, etc.
Either way it does reflect badly on Eaton's internal controls
Re: (Score:2)
Either way it does reflect badly on Eaton's internal controls
It does, but it reflects worse on their hiring practices, that he was ever hired to begin with.
And, of course, it reflects worst of all on him having ended his career (and rightly so) in any kind of computer field.
Re: Eaton's code reviews didn't catch this? (Score:2)
Their hiring practices should have rejected his application 11 years ago, when they hired him for a role they subsequently changed years later that led to him being disgruntled?
Re: (Score:2)
but then at a company the size of Eaton a developer should not have access prod systems
I actively discourage clients from giving me any access to prod just so there can never be the question of something like this. I don't want keys to the cash register!
Re:Eaton's code reviews didn't catch this? (Score:4, Interesting)
> It's even scarier to me that they weren't able to notice this.
What kind of business do you work in where something like this would be caught? For many businesses, internal threats like this are very difficult to protect against.
As part of my job I have admin access to many systems. If I left a scheduled job on one system that ran an innocently named binary "MS-SecurityAudit.exe", that checked against entries in Active Directory, and then went ape shit if the right conditions were met, nobody would notice it until the damage was done. The only reason most of us don't do it is because there is absolutely no point to it. They are not going to call you and offer you your job back. You pretty much have to have serious mental health issues to pull something like this.
Re: (Score:2)
and running on a server that only Lu... had access to.
No. This is pure greed and ineptness by the company. Welcome to modern business, where proper security controls aren't in places because management wants to overwork everyone and understaff every department.
success is the best revenge (Score:3)
Re: (Score:2)
I've aways approached it from the mentality that when I leave a job, I'm going to a better position/ environment/ salary than the one I left. Treat every change and an opportunity to change for the better, fix the things you didn't like and expand on those you did.
I just look at it as ethics.
I have an agreement with my employer, and last payday they paid me $X for doing Y. I am compensated to the level agreed-upon and they have the work that was agreed-upon. Specific terms may change from time to time in the form of raises, promotions, demotions, disciplinary action but as long as the bank has what I was promised for the last pay period, my employer should have what I was tasked with.
That doesn't mean they're entitled to next pay period. Nor am I. If the agre
Die in flame? [Y]es/[N]o/Ask again [L]ater (Score:2)
Is this a reverse-non-compete? (Score:4, Insightful)
I was illegally discriminated against at a company for racial reasons. I took a photo of a slack conversation I wasn't supposed to see when my boss left his computer unlocked that confirmed it. I have a good case...but for the reasons above, I just left. "Just won a lawsuit" is not a good look and a huge gamble for little reward
What this guy did is basically a reverse non-compete. With non-competes, you leave us?...we fuck your ability to earn a living for a period of time. Here, it was "you fire me?...I fuck with your ability to earn revenue for a short period of time."
This is like learning Harvey Weinstein was raped in prison. I shouldn't cheer it, but I also am not horrified or enraged by it.
Finally, as others pointed out...how come this place allowed it to happen? You are a shit show if one employee can cause so much chaos. You need to have code reviewed and regular security audits...so not only did they screw over their employees, they screwed over their customers by cutting corners, while no doubt overcharging the customers and overpaying their executives.
Please help me understand this attitude (Score:3)
Why would you need to do anything at all when you could do nothing at all?
Why do people believe they have to stay in abusive relationships? Why do people believe they have to work for abusive employers?
If you caught your girlfriend cheating on you, nobody would question your decision to leave. But if you caught your girlfriend cheating on you for the 42nd time, everyone would question your decision to stay.
Why would it be any diffe
There is no humanity (Score:3, Interesting)
We can safely assume they Eaton treated him like shit. It's not a stretch to say that he then treated Eaton like shit. It's also not a stretch to say that a fucked up corp has fucked up software with many points of failure. It's also just silly to give one guy in IT all the power. It's very Musk-like, if you think about it. Any one of these DOGE goons could take down Social Security on purpose or by accident.
Hahha (Score:2)
Lessons to be Learned (Score:2)
What he allegedly did was very wrong. I'd never condone such behavior. His biggest mistake, however, was getting caught. Come on, it would be so easy to make it look like an innocent mistake...
but how does that explain the 36 code checkins (Score:2)
A Small Number of Employers... (Score:2)
Plot Twist (Score:2)
I could never write headlines... (Score:2)
It sounds like a boolean or a bitmask that was checked in random places in the code that would bypass stuff that needed to get done and given a harmless sounding name... this doesn't take a hacker genius.
It does take a genius to realize this qualifies as a KilL sWitCh!!!
CFAA (Score:2)
This is what CFAA is for, not the BS that they used against Aaron.
This guy made life miserable in multiple ways for his successor.
1. By having to clean up his mess
2. By always being under suspicion of having planted his own logic bomb.
I hope this idiot rots in jail for a long time.
The guys of 55-year-old programmer (Score:2)
I guess what I'm saying is while I think what he did was dumb as a blade of grass and completely pointless we are abandoning large swaths of the population to homelessness in a country that treats homeless people worse than we treat mass murderers.
Expect to see more of thi
How did this pass code review? (Score:2)
This is bigger... (Score:2)
This reflects a larger issue within the tech industry. How is it acceptable for a company to take nearly two decades of an employee’s time, only to discard them like they never mattered? Many may see this as just “business as usual,” but it shouldn’t be the norm. Time is invaluable—it can’t be reclaimed. When employees are let go for reasons beyond their control, companies should face consequences that discourage them from making such decisions.
Re: (Score:3)
It works both ways, though. A valuable employee can quit a company with not too much notice. Like it or not, this is the bargain we've arrived at. (Presumably, the company compensated the employee for the "nearly two decades of time...)
The right thing to do is for companies to treat employees well and employees to treat their employers well... but for both of them to acknowledge that it's a business relationship that can be terminated pretty quickly if the situation changes.
Re: This is bigger... (Score:2)
Sounds like this guy wasnâ(TM)t very good at his job. He was demoted 4 years after being hired and then eventually got fired.
This is why (Score:2)
This is why you should always do your best to keep your employees properly gruntled.
a 3rd party gets to stop it all (Score:1)
I never understood the US justice system and the (Score:2)
I never understood the US justice system and the punishments - there is very little justice when you get a 10 year sentence for what is essentially a very expensive prank, while murderers/drunk drivers/rapists/etc walk with less of a sentence. Not saying he doesn't deserve to pay for his crime, just saying there are people that get much more lenient sentences for actual bodily harm that destroys lives. This was a blip in operations for a company with no lasting effect other than better IT controls(one hope
Neat (Score:2)
That's a neat way to trigger something. Kudos for thinking of that.
-m
Re: Neat (Score:2)
When you do it for yourself, learn from this guys mistakes and have the process delete itself after. Leaving evidence behind is what got him convicted.
BOFH Fans Know (Score:2)