Developer Convicted For 'Kill Switch' Code Activated Upon His Termination (arstechnica.com) 82
A 55-year-old software developer faces up to 10 years in prison after being convicted for deploying malicious code that sabotaged his former employer's network, causing hundreds of thousands of dollars in losses.
Davis Lu was convicted by a jury for causing intentional damage to protected computers owned by power management company Eaton Corp., the US Department of Justice announced Friday. Lu, who worked at Eaton for 11 years, became disgruntled after a 2018 corporate "realignment" reduced his responsibilities.
He created malicious code that deleted coworker profile files, prevented logins, and caused system crashes. His most destructive creation was a "kill switch" named "IsDLEnabledinAD" that automatically activated upon his termination in 2019, disrupting Eaton's global operations. Lu admitted to creating some malicious code but plans to appeal the verdict.
Davis Lu was convicted by a jury for causing intentional damage to protected computers owned by power management company Eaton Corp., the US Department of Justice announced Friday. Lu, who worked at Eaton for 11 years, became disgruntled after a 2018 corporate "realignment" reduced his responsibilities.
He created malicious code that deleted coworker profile files, prevented logins, and caused system crashes. His most destructive creation was a "kill switch" named "IsDLEnabledinAD" that automatically activated upon his termination in 2019, disrupting Eaton's global operations. Lu admitted to creating some malicious code but plans to appeal the verdict.
I don't know what he expected. (Score:5, Insightful)
In any other profession this kind of farewell gift would have been seen as outright evil, but somehow in IT there are plenty of people sharing fantasies about how they would bring down their employers as if they own the place.
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Re: (Score:2)
The most common pattern I've seen is a company gets rid of the only person who knows how something works, a legitimate bug occurs, they assume they were hacked or the guy they got rid of sabotaged them.
It's like if a bridge develops a crack they decide that the civil engineer they laid off did the calculations wrong on purpose to make the company look bad.
Odds are something got missed between fabrication and final inspection but especially in the case when the employee had more knowledge than the manager th
Re: (Score:2)
Well, it shouldn't be hard to determine what "IsDLEnabledinAD" does or was intended to do.
Re: (Score:2)
https://youtu.be/OPeny2iS43I?t... [youtu.be]
Re: (Score:2)
Well, it shouldn't be hard to determine what "IsDLEnabledinAD" does or was intended to do.
Rookie mistake. Always name the malware after your boss or someone there you dislike ... :-)
Re:I don't know what he expected. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
You do know the The International Obfuscated C Code Contest has been running for over 40 years now, right?
Re: (Score:2)
Re: (Score:2)
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Not even a good metaphor. It's more like setting fire to (or magically deleting) all the very specific, custom construction materials of some new building. Now, almost no one in the construction company can do any work until it's replaced. And I could see several ways to sympathize with a person willing to do that.
Re: (Score:2)
Depends.
My organization is an Eaton customer. We have a service provided by them. If one of the Eaton outages we've dealt with were caused by this dude, then the cracked bridge analogy is more accurate.
However, if all he did was fuck with the company, and not the people using the bridge- then ya, I guess you're right.
Re: (Score:2)
Well, did you have an outage on September 9, 2019?
A lot of people are Eaton customers in one way or another, it's hard to escape them. They're like the Nestle of power products. Also, unless the outage caused a life-threatening scenario, it's still not apt. If the outage did cause a life-threatening scenario, I would have reconsidered how the whole system is designed and setup to not let something like an outage be a single point of failure for the whole *whatever it is*. Either way, the guy isn't responsib
Re: (Score:2)
Well, did you have an outage on September 9, 2019?
Couldn't tell you- zero interest in looking. This is a hypothetical discussion.
A lot of people are Eaton customers in one way or another, it's hard to escape them. They're like the Nestle of power products.
Indeed.
Also, unless the outage caused a life-threatening scenario, it's still not apt.
Oh, it's very easy to move it into that territory.
We use Eaton generators, and we provide e911 transport.
Of course that requires a coincident power outage along and generator failure to start that we weren't notified about via Eaton, and also the failure of the backup dry-contact monitoring, so that we didn't get guys on-site before the batteries ran dead- it's definitely a chain of hypotheticals- but well within the ran
Re: (Score:2)
Well, hypothetically speaking, it sounds like your setup doesn't have any single points of failure. Which means, hypothetically speaking, an Eaton lockout is never severe in and of itself. It's easy to blame this guy. But, hypothetically, let's say all those things did fail. Who do you blame for the power outage? Who do you blame for the backup failure? Who do you blame if the on-site guys don't get there in time? Or do you just end up pinning it all on this guy because it easier? I'm willing to bet that if
Re: (Score:2)
Every party that causes damages is potentially liable for those damages.
In the real world, of course, many "reasonably expected situations", or "acts of god", or whatever will be shielded from said liability.
This guys' actions will not. He is responsible for any damages caused by his actions, not the people who didn't implement enough redundancy into their system.
An age old example of this is, "have you committed a crime if you walk into someone's house whe
Re: (Score:2)
I understand tort just fine. It just doesn't apply here.
And that's not a relevant example to the situation either. I already said he committed a crime. So, a better example, Person A murders Person B. Person A is caught. Person B was one of the only people that knew how to do Task X at Company Y. Because Person B is no longer alive to do Task X, Company Y loses millions of dollars. Person A is responsible for the murder (and any other crimes leading up to), he is not responsible for the millions of dollars
Re: (Score:2)
Proximate cause against someone who attacked a service that was tied to a critical service is absolutely grounds for liability.
Generally, all that would be need to be shown was that the person who did the action should reasonably have known it would have harmed me.
Being we're talking about something adjacent to generators- i.e., things that keep critical infrastructure up, I'm not worried about losing that case.
An example of this would be the case of a multiple car pileup.
Liabilit
Re: (Score:2)
Now, almost no one in the construction company can do any work until it's replaced. And I could see several ways to sympathize with a person willing to do that.
Why? Even if an employee played a role in the creation of the magical "custom construction materials", it doesn't make them the owner unless they have a very specific arrangement with their employer.
Re: (Score:3)
In any other profession this kind of farewell gift would have been seen as outright evil, but somehow in IT there are plenty of people sharing fantasies about how they would bring down their employers as if they own the place.
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
If your bridges looked like this https://xkcd.com/2347/ [xkcd.com] you'd be asking why more aren't blown up.
Re: (Score:2)
In any other profession this kind of farewell gift would have been seen as outright evil, but somehow in IT there are plenty of people sharing fantasies about how they would bring down their employers as if they own the place.
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Would it help if his employer was an insurance company?
/sarcasm
Re: I don't know what he expected. (Score:2)
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
That is one hell of strawman. Except, he did none of that. All he did was throw a fit and stop from things from happening. If he had done that and bought the presidency, he would be celebrated by republicans.
Re: (Score:2)
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
No, but what you are describing is obvious to the average person as a much more extreme thing that is also a direct threat on human life. And the destruction of tangible property which the engineer only plans and millions of dollars are spent on other peoples' labor and materials. I would suggest considering more moderate examples where a dismissed employee sabotag
Re: (Score:2)
For example; A manager in charge of a project arranges for all the plans and details about who is in charge of what to get destroyed or lost and become unfindable by their replacement should they be removed by management.
This almost works, except instead imagine that the manager has been begging for another manager or three to help take over some of their workload because they're completely swamped, and their repeated requests for backups and redundancy have been being dismissed for years due to budget constraints.
Re: (Score:2)
I don't know who is feeling sympathy for this guy. Even if his company was run by jerks (and it probably was), sorry, no sympathy from me. Just quit and move on.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Nobody sane would sympathise with that.
Agreed, they would have to be insane. And probably ugly too. And have extremely bad smelling bowel movements.
This is a power that should be reserved for large corporations when they disable millions of dollars of equipment, causing untold damages, because they detect that you have used a competitors product.
But, but, that is different, you say, because an individual committed this crime, corporations are just protecting their profits. That, as we all know, is the m
Re: (Score:2)
Imagine civil engineers planting bombs in bridges that would detonate upon termination of employment. Nobody sane would sympathise with that.
Less extreme, imagine dumping concrete mix into all the toilets on Friday night. It would disrupt the Monday morning ritual of management.
Belive his innocence (Score:4, Interesting)
The article says he and his supporters believe his innocence.
I wish it explained what his argument is. He admits to having written the code. So is he saying the code does not perform as he expected?
Is he claiming that because the code was created, released/deployed while he had the authority to do so it isnt a crime?
Re: (Score:3)
"The software was buggy, your Honor. My employer didn't allocate sufficient resources for proper QA."
Re: (Score:3)
"The software was buggy, your Honor. My employer didn't allocate sufficient resources for proper QA."
Exactly, if such changes were able to get through the review process, then they obviously don't have a review process. If they don't have a review process they have a liability problem.
They were probably trying to reduce their dependence on him because he was a silo, the guy that hordes domain knowledge and makes everyone's life more difficult. Which also means that the company didn't put any effort over the last ten years into improving processes or documentation that would prevent a scenarios - jus
Re:Belive his innocence (Score:5, Informative)
A subsequent investigation found that on the day he had to hand back his corporate laptop, he had deleted a chunk of encrypted data, and had attempted to wipe its Linux OS directories and two code projects. A review of his search history also showed requests for advice on escalating privileges, deleting data and folders, and hiding processes.
The only one saying his "supporters" belive his innocence is his attorney. Looking at all the evidence, it is quite clear he is guilty.
More details from Cyber Security News [cybersecuritynews.com]
Re: (Score:3, Interesting)
Maybe more details will come out after the trial.
I can imagine (pure speculation here) a scenario in which he didn't write any malicious code, but did wind up needing to do a lot of manual steps, on a regular basis, to compensate for things like system crashes and quirks and known code bugs and only partially automated processes. If he has been there a long time, there may be several tools and services running in their environment with quirks and bugs that only he knows about, because only he regularly wor
Re:Belive his innocence (Score:4, Interesting)
Maybe more details will come out after the trial.
From the article you didn't read:
"The US Department of Justice announced Friday that Davis Lu was convicted by a jury . . ."
There's already been a trial. He was convicted.
I can imagine (pure speculation here) a scenario in which he didn't write any malicious code, but
admitted he did anyway? That's some mighty good dope you're smoking there, son.
Re: (Score:2, Insightful)
Hah, no not dope. As you said, I didn't read the article. I barely even skimmed the summary. I just read DarkOx's comment and ran from there.
I thought that was standard operating procedure on Slashdot.
Re: (Score:2)
From the article you didn't read:
"The US Department of Justice announced Friday that Davis Lu was convicted by a jury . . ."
There's already been a trial. He was convicted.
That doesn't say much. A jury of people with no skill in the area can easily make mistakes.
Re: (Score:3)
The article says he and his supporters believe his innocence.
That's actually for a another termination / kill-switch thing where the malware was named "IsDJTenabledinAD".
Re: (Score:1)
might not have been reviewed. The article makes it sound like maybe it was running on some utility/development server he had. Might not have been part of any production system, but simply sitting there waiting to do something nasty with a shared access secret or something.
but then at a company the size of Eaton a developer should not have access prod systems and if they are given temporary access, any secrets etc should get rotated, etc.
Either way it does reflect badly on Eaton's internal controls
Re: (Score:2)
Either way it does reflect badly on Eaton's internal controls
It does, but it reflects worse on their hiring practices, that he was ever hired to begin with.
And, of course, it reflects worst of all on him having ended his career (and rightly so) in any kind of computer field.
Re: Eaton's code reviews didn't catch this? (Score:2)
Their hiring practices should have rejected his application 11 years ago, when they hired him for a role they subsequently changed years later that led to him being disgruntled?
Re: (Score:2)
There is no circumstance that justifies his deliberate sabotage. Despite whatever revenge fantasies you might currently be masturbating to.
His criminal conviction indicates that society, at large, agrees.
Re: (Score:2)
No, there isn't.
I thought it was blatantly obvious, but I was replying to
It does, but it reflects worse on their hiring practices, that he was ever hired to begin with.
He was hired 11 years before this happened. Since he was hired he got demoted. He's wasn't even doing the same work he was hired for.
How could hiring practices have had any impact at all?
Re: (Score:2)
but then at a company the size of Eaton a developer should not have access prod systems
I actively discourage clients from giving me any access to prod just so there can never be the question of something like this. I don't want keys to the cash register!
Re:Eaton's code reviews didn't catch this? (Score:4, Interesting)
> It's even scarier to me that they weren't able to notice this.
What kind of business do you work in where something like this would be caught? For many businesses, internal threats like this are very difficult to protect against.
As part of my job I have admin access to many systems. If I left a scheduled job on one system that ran an innocently named binary "MS-SecurityAudit.exe", that checked against entries in Active Directory, and then went ape shit if the right conditions were met, nobody would notice it until the damage was done. The only reason most of us don't do it is because there is absolutely no point to it. They are not going to call you and offer you your job back. You pretty much have to have serious mental health issues to pull something like this.
Re: (Score:2)
and running on a server that only Lu... had access to.
No. This is pure greed and ineptness by the company. Welcome to modern business, where proper security controls aren't in places because management wants to overwork everyone and understaff every department.
Re: (Score:2)
> You pretty much have to have serious mental health issues to pull something like this.
In medical terms, this is called being an asshole.
success is the best revenge (Score:3)
Re: (Score:2)
I've aways approached it from the mentality that when I leave a job, I'm going to a better position/ environment/ salary than the one I left. Treat every change and an opportunity to change for the better, fix the things you didn't like and expand on those you did.
I just look at it as ethics.
I have an agreement with my employer, and last payday they paid me $X for doing Y. I am compensated to the level agreed-upon and they have the work that was agreed-upon. Specific terms may change from time to time in the form of raises, promotions, demotions, disciplinary action but as long as the bank has what I was promised for the last pay period, my employer should have what I was tasked with.
That doesn't mean they're entitled to next pay period. Nor am I. If the agre
Re: (Score:3)
I just look at it as ethics.
I just look at it as hassle I don't need or want. Something goes wonky in the near future after you leave, and everyone will think you had something to do with it, even if you didn't. I don't want former managers or cops breathing down my neck about some issue or another; leave me alone.
In fact, something like that did happen to me. I left a job abruptly because of stress-related health issues, and a week later, one of the Solaris boxes burped and needed a reboot. I wasn't technically a sysadmin, but
Die in flame? [Y]es/[N]o/Ask again [L]ater (Score:2)
Is this a reverse-non-compete? (Score:4, Insightful)
I was illegally discriminated against at a company for racial reasons. I took a photo of a slack conversation I wasn't supposed to see when my boss left his computer unlocked that confirmed it. I have a good case...but for the reasons above, I just left. "Just won a lawsuit" is not a good look and a huge gamble for little reward
What this guy did is basically a reverse non-compete. With non-competes, you leave us?...we fuck your ability to earn a living for a period of time. Here, it was "you fire me?...I fuck with your ability to earn revenue for a short period of time."
This is like learning Harvey Weinstein was raped in prison. I shouldn't cheer it, but I also am not horrified or enraged by it.
Finally, as others pointed out...how come this place allowed it to happen? You are a shit show if one employee can cause so much chaos. You need to have code reviewed and regular security audits...so not only did they screw over their employees, they screwed over their customers by cutting corners, while no doubt overcharging the customers and overpaying their executives.
Please help me understand this attitude (Score:3)
Why would you need to do anything at all when you could do nothing at all?
Why do people believe they have to stay in abusive relationships? Why do people believe they have to work for abusive employers?
If you caught your girlfriend cheating on you, nobody would question your decision to leave. But if you caught your girlfriend cheating on you for the 42nd time, everyone would question your decision to stay.
Why would it be any diffe
There is no humanity (Score:3, Interesting)
We can safely assume they Eaton treated him like shit. It's not a stretch to say that he then treated Eaton like shit. It's also not a stretch to say that a fucked up corp has fucked up software with many points of failure. It's also just silly to give one guy in IT all the power. It's very Musk-like, if you think about it. Any one of these DOGE goons could take down Social Security on purpose or by accident.
Re: There is no humanity (Score:2)
"Biden gave just the "same access" when he was in power"
To whom? And cite your source.
Re: (Score:2)
I don't think we can "safely" make the assumptions you are making. There is a wide spectrum of employers, with a wide spectrum of dysfunction and attitudes on the treatment of employees. In my own company, there are some departments that would be hell to work in, but mine is great. The most important thing about how good your job is, is how good your boss is. There are good and bad bosses at any company of any large size.
Hahha (Score:2)
Lessons to be Learned (Score:3)
What he allegedly did was very wrong. I'd never condone such behavior. His biggest mistake, however, was getting caught. Come on, it would be so easy to make it look like an innocent mistake...
but how does that explain the 36 code checkins (Score:2)
A Small Number of Employers... (Score:2)
Plot Twist (Score:2)
I could never write headlines... (Score:2)
It sounds like a boolean or a bitmask that was checked in random places in the code that would bypass stuff that needed to get done and given a harmless sounding name... this doesn't take a hacker genius.
It does take a genius to realize this qualifies as a KilL sWitCh!!!
CFAA (Score:2)
This is what CFAA is for, not the BS that they used against Aaron.
This guy made life miserable in multiple ways for his successor.
1. By having to clean up his mess
2. By always being under suspicion of having planted his own logic bomb.
I hope this idiot rots in jail for a long time.
The guys of 55-year-old programmer (Score:2)
I guess what I'm saying is while I think what he did was dumb as a blade of grass and completely pointless we are abandoning large swaths of the population to homelessness in a country that treats homeless people worse than we treat mass murderers.
Expect to see more of thi
How did this pass code review? (Score:2)
Re: (Score:2)
Why would the guy try to get his code reviewed, if his point was to screw the company? Do you think he would follow _process_?
This is bigger... (Score:2)
This reflects a larger issue within the tech industry. How is it acceptable for a company to take nearly two decades of an employee’s time, only to discard them like they never mattered? Many may see this as just “business as usual,” but it shouldn’t be the norm. Time is invaluable—it can’t be reclaimed. When employees are let go for reasons beyond their control, companies should face consequences that discourage them from making such decisions.
Re: (Score:3)
It works both ways, though. A valuable employee can quit a company with not too much notice. Like it or not, this is the bargain we've arrived at. (Presumably, the company compensated the employee for the "nearly two decades of time...)
The right thing to do is for companies to treat employees well and employees to treat their employers well... but for both of them to acknowledge that it's a business relationship that can be terminated pretty quickly if the situation changes.
Re: This is bigger... (Score:2)
Sounds like this guy wasnâ(TM)t very good at his job. He was demoted 4 years after being hired and then eventually got fired.
Re: (Score:2)
Time is invaluable—it can’t be reclaimed.
True and after a few years of working for a company it's better to move on for your own career anyway. Companies crap on about job hopping and it's a situation they created. Their complacency created this situation for them selves and I've seen businesses with poor software conditions fail.
More than likely if he had simply deleted the comments from the code and done nothing else they would have a pretty tough time, all this guy has done is given them someone to point a finger at for all of their techni
This is why (Score:2)
This is why you should always do your best to keep your employees properly gruntled.
a 3rd party gets to stop it all (Score:1)
I never understood the US justice system and the (Score:2)
I never understood the US justice system and the punishments - there is very little justice when you get a 10 year sentence for what is essentially a very expensive prank, while murderers/drunk drivers/rapists/etc walk with less of a sentence. Not saying he doesn't deserve to pay for his crime, just saying there are people that get much more lenient sentences for actual bodily harm that destroys lives. This was a blip in operations for a company with no lasting effect other than better IT controls(one hope
Neat (Score:2)
That's a neat way to trigger something. Kudos for thinking of that.
-m
Re: Neat (Score:2)
When you do it for yourself, learn from this guys mistakes and have the process delete itself after. Leaving evidence behind is what got him convicted.
BOFH Fans Know (Score:4, Informative)
Yet Corporations Do This All The Time (Score:2)
If they detect that you have used a competitors product, they will brick your device entirely, rendering it worthless. Knowingly and intentionally.
Yet, not one person has spent a millisecond in jail, or even been slightly inconvenienced. Instead, they have been financially rewarded. You cannot even take them to court anymore due to their buried arbitration horse shit.
But if you ever do anything even remotely similar. Oh no. No. No no. That is a crime. It is a crime and no amount of public money will