Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Technology IT

IT Admin Trashes Railroad Company's Network Before He Leaves (bleepingcomputer.com) 212

Catalin Cimpanu, writing for BleepingComputer: A federal jury in Minneapolis, Minnesota found a local man guilty of intentionally damaging his former employer's network before leaving the company. The man's name is Christopher Victor Grupe, 46, and from September 2013 until December 2015 he worked as an IT professional for the Canadian Pacific Railway (CPR), a transcontinental railroad based in Alberta, Canada. Things went sideways in December 2015 when CPR suspended Grupe for 12 days for yelling and using inadequate language with his boss. When the man returned to work following his suspension on December 15, management told Grupe they were going to fire him for insubordination. According to court documents obtained by Bleeping Computer, Grupe asked management to resign, effective immediately. He promised to come back the following days and return company property such as his laptop, remote access device, and access badges. He did return the items, as promised, but not before taking the laptop for a last spin inside CPR's network. Court documents show Grupe accessed the company's switches and removed admin accounts, changed passwords for other admin accounts, and deleted log files. When done, Grupe wiped his laptop and returned it to CPR's Minnesota office on December 17, two days after he resigned.
This discussion has been archived. No new comments can be posted.

IT Admin Trashes Railroad Company's Network Before He Leaves

Comments Filter:
  • by Anonymous Coward on Friday October 13, 2017 @03:03PM (#55364493)

    Why do you leave somsone's access privileges in place when you're in the middle of firing them?

    IMHO, they deserved what they got.

  • by Drakonblayde ( 871676 ) on Friday October 13, 2017 @03:03PM (#55364497)

    *before* you tell someone you're going to fire them.

    • by Anonymous Coward on Friday October 13, 2017 @03:13PM (#55364579)

      That assumes competent people, in HR as well as in IT. Competent people cost money, "management" does not want to spend money, obviously, if "management" tells an admin with full network access, they are going to fire him...

      • It also assumes you CAN disable access on everything the person has access to.

        There's plenty of gear, often at the critical infrastructure level (be it network, power, building monitoring, fire suppression, alarm systems, etc.) that would need a manual touch to change out the lowest level password. Not everything integrates into AD or some management portal, and even the stuff that does usually has a lower-level mode of access.

        • by pnutjam ( 523990 )
          It can easily be put behind a VPN where you can control such access.
          • by afidel ( 530433 )

            Exactly, any life safety system that needed to be network accessible was on its own private vlan with a bastion host used for access, remove network account and you can't access the bastion host. For networking gear you set it up for AAA authentication and make it so local accounts can only be used if the AAA server can't be reached. That plus network monitoring to tell if the device is offline should mean there's no way to use a local login without it being known that it is happening. My goal has always be

        • and gear like that is at level where AD should not be and for stuff like fire suppression, alarm systems the alarm place has remote and do you want them to have remote into the your AD system? the fireman may need an printed admin or full rights maybe other then (account changes) password at the local command station as well.

      • by Snotnose ( 212196 ) on Friday October 13, 2017 @06:29PM (#55365765)

        *before* you tell someone you're going to fire them.

        CSB. One morning some 20 years ago I was in the sysadmin's office talking to him when some guy popped his head in and said he couldn't log in. Sysadmin said "damn, that wasn't supposed to happen until next week".

        Sure enough, next week there was a layoff and the guy who couldn't log in was one of the head reductees.

    • This may be problematic if you're going to fire the very person that would be performing said actions. In a perfect world, you'd perhaps contract someone in a hurry. Maybe we're living in an imperfect world, though.
    • These sorts of actions are the reason why more and more companies treat anyone being laid off as a hostile entity. Perp walked out the door, can't take person items with you (but with vague hopes that they will be mailed later). Then someone dumb in IT attempts to wipe their laptops soon, and someone in facilities starts to box everything up and put it into storage, leaving whatever project they were on in shambles.

      I had three reports laid off in the past, two were out of the building before I even showed

    • by leonbev ( 111395 )

      Yeah... what a dumbass. Everyone knows that you remote into an unliked coworkers PC's with admin rights and make it look like they did the sabotage!

      Geez... doesn't anyone read BOFH on The Register anymore?

  • by rfengineer ( 927289 ) on Friday October 13, 2017 @03:04PM (#55364503)
    "According to court documents obtained by Bleeping Computer, Grupe asked management to resign..." What was management's answer when asked to resign? Did they?
    • by freeze128 ( 544774 ) on Friday October 13, 2017 @03:22PM (#55364645)
      I had no idea I could just ask management to resign. I'm totally going to do that from now on.
    • by clodney ( 778910 )

      "According to court documents obtained by Bleeping Computer, Grupe asked management to resign..." What was management's answer when asked to resign? Did they?

      Well, after they had had to deal with "inadequate language", how could they not resign?

      I did not RTFA, but the language in the summary is rather tortured.

    • by clovis ( 4684 )

      "According to court documents obtained by Bleeping Computer, Grupe asked management to resign..." What was management's answer when asked to resign? Did they?

      It seems to me that the original article was written in Canadian and then run through Google translate to produce Slashdot English.

  • Huh? (Score:4, Informative)

    by msauve ( 701917 ) on Friday October 13, 2017 @03:06PM (#55364515)
    "...using inadequate language..."

    ITYM "inappropriate."
  • At least he did not mess with the other switches.

  • only $30,000 ?? sounds like the upgrade cost to get new hardware but it's not Millions from something derailing

  • by Drakonblayde ( 871676 ) on Friday October 13, 2017 @03:11PM (#55364563)

    So reading through the article, it looks like he was smart enough to get rid of the records of his access on the logging servers, but got caught because he forgot to clear the logging buffers on the network gear.

    Hope it was worth it!

    • by MobyDisk ( 75490 )

      looks like he was smart enough to get rid of the records of his access

      Smaaary....Riiight... because that would totally not have been obvious. Guy with anger management issues is fired, returns his laptop 2 days later, wiped, logs are wiped, and all the passwords are changed so nobody can get in. We shouldn't need log files to see what happened.

      The physical-world equivalent here is the bank fires the one person with access to the vault, and the next day the vault is empty. The former employee shows up to return a giant empty bag with dollar signs all over it. The surveilla

  • by argStyopa ( 232550 ) on Friday October 13, 2017 @03:12PM (#55364567) Journal

    "We've found you SO insubordinate that we have to FIRE you from the company. But yes, we trust you Mr NetAdmin, to take your company laptop home with you."

    Jesus. He's in trouble, but I hope for humanity's sake THEY didn't reproduce.

    • by barc0001 ( 173002 ) on Friday October 13, 2017 @04:18PM (#55365025)

      As a Canadian who is familiar with various aspects of CP Rail, yeah, they are *that* stupid. The only reason they're profitable is inertia and little competition other than CN, who also has similar intelligence problems.

    • Yup. When an employee is in a loud shouting contest with management, the person is going to be fired 99.9% of the time. Why waste 12 days of cooling off time? And why not confiscate the laptop immediately? Vaguely sounds like union rules or an overly restrictive set of procedures to follow.

      As for the employee, it seems like he expected a chance to not be retained and he got his revenge only after being officially terminated.

    • No, you just don't get it.

      The physical laptop is not what really matters. A laptop can be copied. Revoking the credentials is what should have been done.

      It's just like if your bag gets stolen and someone drops your credit cards and your house keys on the front porch of your house. It's nice that those items made their way back to you, but it doesn't mean it's over and you better be sure to change your locks and cancel those credit cards in case someone made copies and eventually tries them out. It's the onl

  • I have a friend on the West Coast who is an expert at cleaning out IT closets. He would be perfect for the job.
  • Every month there's a story like this. It's like the world is full of dumb sysadmins that can't keep it together when they get fired.
    • What gets me is that people remember this stuff forever. About fifteen years ago, I was hired on as a consultant to clean up after an admin was fired, and said admin left many logic bombs (custom compiled init daemons that checked files, and if the files that if were not manually touched every week or so, would start writing garbage on random drive sectors, as well as resetting encryption on backup tapes to passwords from /dev/urandom, ensuring the data backed up would be useless.) Years later, this guy c

  • IT Professional ?? (Score:4, Interesting)

    by nomad63 ( 686331 ) on Friday October 13, 2017 @03:16PM (#55364597)
    Really ? They call him a "Professional" ? On what basis ? Professionals do not scream at other people and use profanity, let alone to their bosses. And when professionals understand that their services are not wanted, they just leave quietly unless their opinions are explicitly wanted, at which point they can criticize their superiors skills or lack there of, using a proper language. Trashing an ex-employer's equipment is childish at best. Far from being a professional. Regarless how bad your management may be. Definitely in the list of "Absolute no-no's" of a professional.
    • They call him a "Professional" ? On what basis ?

      Technically, a "professional" is someone who gets paid for their work, nothing more or less. You're using "professional" in the slang sense.

      • Technically, a "professional" is someone who gets paid for their work, nothing more or less. You're using "professional" in the slang sense.

        A professional is also someone who is worth what they get paid. A professional attitude is not just about being in it for the money -- it's also about making an effort to do one's job well.

        • That's what I meant by the slang sense, but isn't technically part of the what "professional" means. The only difference between a "professional" and an "amateur" is that the professional gets paid.

    • Professionals do not scream at other people and use profanity, let alone to their bosses.

      You can get into real trouble w/o doing any of those things. I once had a new manager (who was, "a quick learner") who wanted me to put a Fiber Channel card designed for a PC into a $200k HP server to, "see if it would work". I replied, very politely, but in front of other people, "Do you even know how computers work?" I got fired the next day. (Which, turns out, was for the best. I got another job within a month at the same pay. Had that one for 16 years.)

      Lesson learned: Don't let people push your butto

      • I replied, very politely, but in front of other people, "Do you even know how computers work?"

        "Do you even know how computers work?" is not a polite response no matter what tone of voice you used.

        • by rossz ( 67331 )

          It's polite compared to what came to my mind, "are you fucking stupid?"

        • I replied, very politely, but in front of other people, "Do you even know how computers work?"

          "Do you even know how computers work?" is not a polite response no matter what tone of voice you used.

          I actually wasn't trying to be snarky, I was so startled by the insistence to try something so obviously stupid that I was genuinely curious. As I said, lesson learned.

      • by zilym ( 3470 )

        So, did everyone in the room burst out laughing? :-)

        Sometimes, a remark like that is totally justified. Unfortunately, in the corporate world and in gov't, it's the "Yes" men that are retained along with their incompetent managers. Those who dare speak the truth are doomed in such organizations.

        Fortunately, incompetent organisations usually lose out in the marketplace to more competent competitors, so it all works out in the end (eventually).

      • by afidel ( 530433 )

        There are no FC cards designed for a PC, there are only PCI, PCI-X and PCIe FC cards, the only difference between one for an HPUX box and an x86 server might be the firmware flashed on it. It's possible there were Sun specific adapters and they were still producing non-pci models in 1997 when FC first came out, but every card I've dealt with even on Solaris was just a PCI(x) card with a custom firmware image (on QLOGIC cards you can flash back and forth).

    • Professionals do not scream at other people and use profanity, let alone to their bosses.

      You sure about that? I suspect Bobby Knight would disagree [youtu.be]

  • Before you fire the guys in IT, change the passwords yourself and protect the network.
    • You need a proper organisation in place to do that. Your IT chief needs a deputy who has access to this stuff and who management can trust.

      • You always have your IT guys make one account on all servers, that can't be disabled, that reports it's alive every week (or day) and whose access certs are stored out of reach of the IT group. This way when you're going to fire the IT guys, you can always get in, change passwords, lock them out and protect yourself.

        All of the servers I manage have this setup, where the owner of the server has a protected Cert kept off site, in their control and if they ever need access to the infrastructure, they can use
  • by fahrbot-bot ( 874524 ) on Friday October 13, 2017 @03:19PM (#55364623)

    ... suspended Grupe for 12 days for yelling and using inadequate language with his boss.

    So, he wasn't rude enough?

    • I don't know why they couldn't fire him WHILE he was suspended.
    • ... suspended Grupe for 12 days for yelling and using inadequate language with his boss.

      So, he wasn't rude enough?

      He was rude enough, but didn't sufficiently back up his hypothesis that his boss was a myopic, micromanaging, misanthropic asshole.

  • by the_skywise ( 189793 ) on Friday October 13, 2017 @03:29PM (#55364705)
    That he was arguing over their shoddy security practices and management didn't care.
    First off they didn't revoke his access keys immediately after firing him/letting him resign - for INSUBORDINATION of all things
    Then it took them 3 weeks to figure out anything had been done, almost a day to figure out they just had to reboot the switches and then they had to call in specialists to figure out how to check the switch logs.
    And boy howdy he sure showed them! /s
  • Choo Choo Motherfucker!

    Seriously, if you have suspended/fired/asked someone to resign, Why on Earth would you not either take their security token, or revoke it?

  • They didn't immediately turn off his access??

  • by King_TJ ( 85913 ) on Friday October 13, 2017 @03:49PM (#55364825) Journal

    I mean, I've been in I.T. for about 30 years now and I know there's really nothing "good" that will come of trying to mess up the corporate networks or computers on your way out the door if you're let go.

    But that said? This article really doesn't tell us anything about what the guy was angry about? If you're screaming at your boss, that tells me one of two basic things. Either A) you're just that unprofessional and have anger issues, or B) the company is doing something SO wrong, internally, that they've created a situation where YOU could become the "fall guy" for major problems set up to happen, and you have reason to confront them angrily.

    (Even if option B is true? This assumes you've already exhausted other avenues to get your message across.)

    I agree though. This railroad obviously has shoddy H.R. policies for handling terminations, in any case. Why would you let someone back onto your network once you terminated them?

    • Sure there's enough info. What could possibly justify him committing an illegal act of industrial sabotage?

      I will judge him. Whatever the situation he was in, he made the wrong decision. Management hurt his feelings? Management raped babies and shot his dog? Doesn't matter. Either way given what he did and what the jury found it sounds like he's up for some time to reflect on his actions.

  • Yea, we had a senior DBA way back in the late 80's who quit in a fit of rage, but first formatted his DOS drive. It took me a few minutes to bring up Norton Utilities and undelete everything. A year later, he tried to come back and we declined to even interview him.

    [John]

  • People who are somewhat career-minded in the IT field should take this as a "what not to do when you're fired" lesson. Our field is surprisingly small, more so once you get into a specialized industry. Nothing good will ever come of some stupid revenge you get on a bad employer...walking away and getting another job is the mature, grown-up thing to do.

    If a doctor got fired from a hospital, would his last action be to order a fatal dose of medication for all his patients? Probably not, if he didn't want to g

  • by 140Mandak262Jamuna ( 970587 ) on Friday October 13, 2017 @04:14PM (#55365003) Journal
    These admin passwords have lots of value in underground markets. And no one can trace the hack back to him.

    The rail road should consider itself lucky it got off with just this much damage. It could have been a lot worse.

  • First he wrecked the entire IT system of Air Canada and completely deleted the company’s customer service capability, but found that nobody noticed, because AC always runs that way.

    • by ve3oat ( 884827 )

      because AC always runs that way.

      Now that's funny! Mod him up, please. Although the above comment was in jest (I think), I am Canadian and can completely believe that this might have happened at Air Canada. And at Rogers Cable too. It would explain so much. My god, that guy really did get around! I'm still chuckling ...

  • by DaMattster ( 977781 ) on Friday October 13, 2017 @04:59PM (#55365317)
    It takes two to make a squabble. If you're the company and you're going to fire someone that has access to critical network and server infrastructure, you cancel all of their access and security privileges immediately - it's never a good idea to practically allow the terminated employee to royally fuck things up for you. If you're the IT pro, you don't use access IDs and tokens with your name attached to them - that's just like robbing a bank, calling the cops with your own personal cell phone, and telling the cops that show up that you're guilty.
  • by Fencepost ( 107992 ) on Friday October 13, 2017 @05:02PM (#55365329) Journal
    Aside from the things the company did wrong (and firing network admins is always difficult), the real stupid move in this story is the sabotage.

    This guy will likely never get hired as an IT staffer again. Sure the company was going to fire him, but in the modern world of "All we can confirm is that he was employed here from X to Y" his reason for departure was going to be an interview question, not something that was going to come up in reference checks. Now even ignoring that searching for his name is going to bring this up, he can't network for jobs with anyone he worked with, anyone who know those folks, and probably out to the second degree.

    I guess that's one way to make sure you follow through on your dreams of a career change.
  • ...that give Canadians a bad name. Now we don't think they're all Dudley Dorights.

    E

  • reboot fixed it was the plan to have stuff fail an then get his job back as being the only person who knows about the network?

  • ...it's a trainwreck.

  • The value of documentation.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...