2.5 Years in Jail for Planting 'Logic Bomb'

cweditor writes "A former Medco Health systems administrator was sentenced to 30 months in federal prison and ordered to pay $81,200 in restitution for planting a logic bomb on a network that held customer health care information. The code was designed to delete almost all information on about 70 company servers. This may be longest federal prison sentence for trying to damage a corporate computer system, although Yung-Hsun Lin faced a maximum of 10 years." How long before the disgruntled sysadmin replaces the disgruntled postal worker in the zeitgeist?

Do they give Nobel prizes for

[Trigun (685027)]

Attempted Physics? I think not!

Re:Let's face it

[COMON$ (806135)]

Some of the best sysadmins I know are ex-developers. The worst happen to be tinkerers who were in the right place at the right time who fit the aforementioned description. Its OK, cause as a sysadmin I make good money fixing networks that another sysadmin botched up.

But I agree with you, I was a CS graduate that decided to head for the Network Engineering/Sys Admin field because the work was more interesting to me. Not saying that dev work isn't interesting, it is just not my cup o tea.

Every once in a while I consider heading back to dev work when I get tired of everyone watching every thing I do and having an opinion on it. Devs seem to have the enigma feel in the departments I have worked in. No one really knows what they do on an hour by hour basis except for their peers, they get to test things before they are live and if they make a mistake it is just considered standard debugging. Whereas as a Sysadmin, if someone's e-mail gets routed to junk mail you get put on the most wanted list for months.

Let me guess

[Daimanta (1140543)]

They replaced everyones desktops with a picture of Xeno's paradox?

Re:Let me guess

[HUADPE (903765)]

Xeno's paradox is easily disproved in three steps.

1: Get crossbow and bolt. 2: Aim crossbow at Xeno. 3: Fire. If the bolt moves to Xeno, then it is proved that movement is possible. Also, Xeno will be dead. Win win situation.

Re:Let me guess

[dryueh (531302)]

Xeno will be dead. Win win situation. Xeno IS dead, you insensitive clod.

meatspace

[qwertphobia (825473)]

How long before the disgruntled sysadmin replaces the disgruntled postal worker in the zeitgeist?

Only when disgruntled sysadmins start damaging meatspace. Really, it's possible, but only then will people start waking up.

Re:meatspace

[ScentCone (795499)]

Only when disgruntled sysadmins start damaging meatspace.

When someone blows away the contents of 70 servers, they ARE damaging meatspace. Real time, stress, cash, and possibly very serious side-effects to real meat can result (especially in health care operations and record keeping). We just need more people to be aware of how the things that they pay money for, and get or don't get with the fruits of their labor, are diminished by the acts of crooks and vandals of ALL sorts. Inside IT jackasses, retail store theft/shrinkage - all of that. People don't want to think about it, not least because it's a reminder that there really are just plain bad people out there, and that they cost us all a little (and sometimes not so little) piece of our lives. I don't know about you, but the only life I'm getting is in meatspace. Chip away at that - however indirectly - and you're messing with the only thing that matters. And there are thousands of people chipping away, every day. Disgruntled IT guys aren't any different than disgruntled anyone else, but they can cause damage in unique ways, given their reach and the subtlety of their line of work.

Re:meatspace

[CFTM (513264)]

Right but the question was "When will going sysadmin replace going postal" and the answer is never because they are fundamentally different entities. Yes, this is a total ass clown thing to do and yes it does lots of REAL damage. People do not end up dead with bullet holes in them; people may be dead because some health services group isn't able to pull their record and gives them medication that they are allergic to but that won't capture the imagination of the American public. Walking in to a public building and opening up with fire arms, has, unfortunately caught the imagination of our society.

Apples and oranges...

Re:meatspace

[SharpFang (651121)]

Actually, it may get much more spectacular than wrong medications served to patients.

Flight control hacking
Railway tracks control
Time bombs in firmware of cars (in all cars of given model, after given date, once the speed is over 60mph, disable brakes and force power steering all the way to the left)
huge chemical industry factory manufacturing systems
municipal gas networks
oil pipelines control
Nuclear power plants
halon dump release system firmware
top secret strategical plans posted to usenet
military devices control systems

meatheadspace

[Gription (1006467)]

. . .

The real panic for the public happens only when individuals fear for their lives.

This is basically the exact reason that Homeland Security is the biggest terrorist organization in the US.

(The news media is right up there though...)

Re:meatspace

[ScentCone (795499)]

There are data backups which can be restored

If you trash 70 servers, you are seriously down and out of business for a while. And someone with that degree of access may also have corrupted data that goes way back into your backups. You don't know. You have to check. And for many businesses, being down and out for, say, 48 hours... it's a death sentence. Just-in-time manufacturers, retailers... they can wind up in contract breach, lose customers... if that happened to some retailers during the peak of their holiday sales season, it would bankrupt them. And when an IT person who KNOWS that chooses to shut down a business - and possibly kill it, costing everyone who works there their jobs, and everyone who invested in the business their money, and every customer who uses the vendor a resource - then that's not a bit different than torching their warehouse or otherwise acting to ruin the operations and the people who depend on it and have worked to build it. Three years in prison for deliberately, methodically attempting to ruin other people's lives and livehihood? You think that's too much? Your moral compass is way off, friend.

Re:meatspace

[Brad Eleven (165911)]

Depending on 70 servers to support a business--health care or otherwise--and presuming that someone will simply support them is worse than presuming that your car will simply work if your maintenance is limited to keeping gas in the tank. Worse yet, most of those who employ systems support personnel for important systems tend to treat them like replaceable parts. I am presently engaged in a surreal conversation with a group of people who express shock and dismay that the previous sysadmins here didn't document their procedures--so now there is no one to set up the 20-odd people they've just hired for the expensive and vital business application for which they are responsible. After three meetings, they seem ready to move from denial to anger and bargaining. I doubt that they'll ever consider the management who keep turning over their systems staff to save a little money in the short term. I'm wondering how to break it to them that I'll be out of here before Q2 arrives.

Sure, there are idiot sysadmins out there who think that the job is all online. It's not: it includes a lot of clerical work, from recording serial numbers to negotiating maintenance agreements. On top of that, there are myriad fools who think it's easy, and more than a few who think it's cute to bash the profession.

Further, it's not the kind of job you can just leave at the office. Even if you're not on call--which you kind of are all the time--the problems you're solving tend to stay with you. Conversely, this defines the personality of the career sysadmin: We don't like to let go of unsolved problems.

Developers know very well that software is never perfected--it's just abandoned. Consider that systems software is no different.

IMHO, the penalty we're discussing was handed out by the same type of cluelessly fearful magistrate who thinks s/he can "send a message to hackers everywhere." I presume that most of us here feel the same mix of superiority and dread that the technology we're familiar with--earn our livings with--is far beyond the scope of the law of the land.

On the bright side, systems administration can be awesomely satisfying. You get the chance to save the day, sometimes with a bit of trivial knowledge. You can feel secure in the knowledge that you are a member of a group so elite that there is no training for what you do. It was a sysadmin who figured out that broken computer in the Apollo 13 command module was exactly the same as the intact one in the Lunar Excursion Module.

Consider that systems administrators are only contacted when something is broken, or needs improvement. Try phoning your sysadmin to tell him/her that things are running smoothly, and that you appreciate glad for what s/he does every day and night.

Re:

[Oligonicella (659917)]

Oh, bullshit. Having one set of asshats does not beget the second set of asshats.

Re:meatspace

[Deagol (323173)]

How can they be more private than "deleted"?

Re:meatspace

[daeg (828071)]

Fear and appease the mighty systems administrator, lest he make your CD tray eject at random and hit thy knee, causing grave distress and injury.

No, no...

[johndiii (229824)]

Fear and appease the mighty systems administrator, lest he make thy coffee holder retract at random and spilleth thy coffee all over thy desk and thy pants, causing much consternation and stains that are really hard to get out.

Blue-collar crime versus white-collar crime

[Dekortage (697532)]

This is kind of like the difference between blue-collar and white-collar crime. If I physically break into your house and steal a thousand dollars of property, it's blue-collar. If I intentionally falsify tax documents and earnings statements in order to pump up my company's stock value, then cash out for millions of dollars while you and the other stockholders are left holding the bag, it's white-collar.

Both are crimes. The first appears more "meatspace" than the second, but the consequences of the sec

Well..

[Killjoy_NL (719667)]

How long before the disgruntled sysadmin replaces the disgruntled postal worker in the zeitgeist?

Maybe then they'll fear us MWUAHAHAHAHAHHAA :D

Re:Well..

[Alioth (221270)]

I am a post office system administrator. Double power!

Re:Well..

[soulsteal (104635)]

I am a post office system administrator. Double power!

More like quad damage!

Yeah

[suso (153703)]

How long before the disgruntled sysadmin replaces the disgruntled postal worker in the zeitgeist?

Hmmm, let's just get through today and I'll get back to you.

Disgruntled sysadmins?

[morgan_greywolf (835522)]

Ehm, I don't think the disgruntled sysadmin will ever really enter the zeitgeist. If a company has good IT policies and practices in place, the disgruntled sysadmin really isn't that big of a problem.

In my mind, this means that you should always have more than one admin, never giving anybody absolute authority over ALL systems. With offsite backups and redundant systems, the damage any single admin could do would be minimal. Maybe costly in terms of downtime, but nothing that's going to grind your business to a halt. Just as in government, there needs to be checks and balances. Giving a single admin too much power is a very bad idea.

What I want to know is: Why would a sysadmin do things like planting a logic bomb anyway? I mean, we're talking about your PROFESSIONAL REPUTATION here. This guy's never gonna work in IT again.

Re:Disgruntled sysadmins?

[hal9000(jr) (316943)]

Just as in government, there needs to be checks and balances. Giving a single admin too much power is a very bad idea.

Your plan sounds good in theory, but unfortunately, it rarely works in practice. Distinct separation of duties and powers requires a great deal of discipline on the organization. It took an act of congress to force get public companies, and in particular, the executive board, to take responsibility over accounting practices.

Besides, little ot todays software lets you seperate duties in a meaningful way or to require double authorization for critical actions.

2 1/2 years is a light sentence compared to the damage this guy could do. Thankfully, most sysadmins are honest ethical people.

Re:

[Ruprecht the Monkeyb (680597)]

For big business, that's fine. Most small businesses are lucky to have a single full-time IT person, and redundant systems just aren't going to happen. A week's downtime without customer records for billing, etc., while servers get rebuilt and data restored could kill them.

Re:Disgruntled sysadmins?

[nighty5 (615965)]

The problem is, the common threat for most organisations is that an employee only needs full access to only one or a couple of critical assets, not all systems.

I've been in security for over 10 years and I tell you know, if you have an employee with enough access and dedication to bring down the company down to its knees, they will probably succeed.

IT policies and practices won't save a company against criminal activity, the law handles that just fine.

I don't get this...

[Corporate Troll (537873)]

Why so destructive? I would be way more effective to place a "corrupter" on the network. Instead of destroying the data, let it gradually corrupt the data. Way more damage, and probably much harder to recover from with backups.

Re:I don't get this...

[FuzzyDaddy (584528)]

You're missing the psychology of the situation. He wanted everyone in the company in a complete panic at once, so they would be really sorry they laid off poor old Andy Lin. It wasn't the damage, it was the psychological effect he was looking for.

Re:I don't get this...

[morgan_greywolf (835522)]

Or replace or, in open source systems, edit the NIC driver(s). Have it change random bits in the packets. They'll probably spend WEEKS trying to track THAT down. :-D

Re:I don't get this...

[tnk1 (899206)]

Why so destructive? I would be way more effective to place a "corrupter" on the network. Instead of destroying the data, let it gradually corrupt the data. Way more damage, and probably much harder to recover from with backups.

A number of reasons. A top reason is that a slow burn corruption doesn't make any impact. This guy is trying to make a statement, and you don't make a statement if no one finds out that someone fucked them over. He wants to show them that they "messed with the wrong guy". A slow burn sort of corruption is something a calculating, mercenary industrial saboteur would do. That pro's motivation is probably a payoff and he wants to stay in business, while this guy is just acting out his feelings of being unappreciated and underestimated.

Secondly, if you do it the slow way, it takes time and he could have only had a short window before he expected his access to be revoked or a fix to be applied without actually doing much damage.

Mostly though, for a slow insidious sort of attack, you have to be a cold, calculating sort of customer, and those sorts tend to realize that you will end up paying fines and in a federal "pound me in the ass" prison if they get caught. It generally takes someone who is a hothead who simmers for awhile and then explodes to actually execute these sorts of acts.

Re:

[by Anonymous Coward]

How long before the disgruntled sysadmin replaces the disgruntled postal worker in the zeitgeist?

2.5 years, apparently.

a logic bomb?

[theheadlessrabbit (1022587)]

so would everyone in the blast radius of this 'logic bomb' be hit with a blast of reason and common sense?
would those affected begin acting rationally?
maybe the courts would wake up and start letting the common people win for a change.
i think we need more of these logic bombs.

live long and prosper, logic bomber...

Re:a logic bomb?

[sm62704 (957197)]

live long and prosper, logic bomber...

If it was financial data I might agree with you, but this guy destroyed medical records. How would you feel if all your medical records were destroyed? Especially if you were right in the middle of chemo, or radio, or treatment for AIDS?

This guy's sentence was not only just, I think it should have been longer. I have a freind in Dwight Correctional Center [slashdot.org] (a maximum security women's prison in Illinois) for selling a couple of joints to an undercover cop. Are you telling me that destroying medical records is less harmful that marijuana?

Re:

[Logic Bomb (122875)]

Thank you for your kind words.

I'm going to plead the 5th on this particular incident, though....

Isn't being disgruntled...

[Billosaur (927319)]

...part of a sysadmin's job description?

Dead man switch

[INeededALogin (771371)]

We all have thought about planting a Dead Man Switch [wikipedia.org]. The difference between us and this guy is the same difference between saying you want to kill someone and actually doing it. This guy sucks and deserves prison and to be banned from the workplace. As a Unix Engineer who has survived and been part of layoffs in the past, this type of person is not fair to the rest of the team. If you aren't gonna be the best, don't put scripts in place to punish the people that are.

The saving grace in this case was not the guy who found the script(he of course milked it for what it was worth), but the fact that this guy did things half-assed. His original script had a bug in it(not tested)... these are the same reasons that he probably lost his job to the better people on the team when the cuts came.

Label me a troll if you want... but this guy was trash and is where he belongs.

Re:

[mccrew (62494)]

His original script had a bug in it(not tested)... these are the same reasons that he probably lost his job to the better people on the team when the cuts came.

What is interesting, perhaps even mind boggling, is that it appears that he hadn't lost his job. When his birthday rolled around in 2004 and the logic bomb didn't fire due to the bug, he was able to apply a fix and reset it for his birthday in 2005! You'd think that he wouldn't want to be around when it went off.

wow, that's harsh

[jollyreaper (513215)]

I would like to give this admin credit for not just walking into the place with a high-powered assault rifle and shooting at random.

I've heard some tales of the disgruntled from back in the day. The most common "I quit" sabotage was taking the reel-to-reel's from the library and dumping them in a sink with water. But the worst worst worst one I heard of, one that could even be an urban legend because of how evil it is, it was the revenge of an angry admin who wanted the company to pay dearly for the evils visited upon him. He sets up this program that doesn't run until several months after he leaves the company. Note, this is back in the days of tapes and computer operators who worked the night shift and moved the tapes from one drive to another, 1970-somethings. Anyway, what his program did was step through EVERY tape in the library. He shuffled it in a random order so nobody would become suspicious. The operator just follows the prompting on his terminal, never the wiser. By the time the sequence is complete, every tape has been erased. As the story goes, the company had no offsite backups and was ruined.

Revenge fantasies are fun but seriously, a job is a job. If you go out in a blaze of glory at one, it will make finding the next one a lot more difficult, especially with a felony on your record. But I guess if he was thinking clearly we wouldn't be reading about this in the first place.

Re:wow, that's harsh

[greenfield (226319)]

I would like to give this admin credit for not just walking into the place with a high-powered assault rifle and shooting at random.

I wouldn't. I think a minimum qualification for participating in our society is knowing that "walking into a place with a high-powered assault rifle and shooting at random" is wrong. What's next? Giving people credit for not spitting on people who annoy them?

I have been angry at work. I took a more reasonable approach: I quit and found a different job.

life-threatening?

[sholden (12227)]

"""
Liebermann noted that if the bomb had taken down Medco's network, people using a Medco prescription card would not have been able to fill any new prescriptions. "That could be very serious, maybe even life-threatening, depending on the need for that medication," Liebermann said.
"""

So what happens when they have a network failure for some other reason? Bad hardware, power outage, building fire, comet impact...

Malfunctioning DRM and other logic bombs

[dpbsmith (263124)]

Faulty DRM and "software activation" schemes are logic bombs, too.

There is of course a a very important difference, in that they are not intended to do anything but enforce the bombers' legal rights. Or, at any rate, what the bombers credibly believe to be their legal rights.

But when a malfunctioning Microsoft server trips the "kill" switch on legitimate copies of Vista, I think it's fair to call that a logic bomb of sorts.

No, I don't think Bill Gates should do 2.5 years of jail time, but it is disappointing that Microsoft was not held accountable for this beyond a few weeks' of mildly embarrassing publicity.

Sounds about right

[Sounder40 (243087)]

The story's author and the prosecuting attorney point out that this involved risk to patients and not just a company's finances. However, I think it's simpler than that: If I worked at, say, a guitar shop, and I took a hammer to the guitars in the shop, that's destruction of the shop's assets. For Medco, their assets include the customer/patient data. Destruction of the assets is a crime. Whether it was done with a computer or a hammer is insignificant.

On a separate subject entirely, that ComputerWorld web page is exactly what's gone wrong with the web: The content I wanted to see (the article) is spread out over three pages, and each page only contains approx. 10% of the content I want to see. The other 90% of the page contains shit, and probably blinky shit if I wasn't using Firefox and Adblock Plus. I don't know why web sites do that. Do they actually think they're adding value? Another one on the list of web sites to avoid...

How long?

[KodaK (5477)]

"How long before the disgruntled sysadmin replaces the disgruntled postal worker in the zeitgeist?"

Well, I think first a sysadmin has to, you know, kill someone. This incident does not even remotely compare with postal shootings. I'm all for hyperbole, but, fuck, it has to be within a couple of orders of magnitude.

Professional / Trade

[DeanFox (729620)]

Label me a troll if you want... but this guy was trash and is where he belongs.

You're not a troll. I think maybe he should have got the 10 years. I wouldn't expect a doctor loosing his hospital privileges to start killing patients in revenge. There are some things, disgruntled or not, that you just don't do.

I say that and yet I feel for the guy. I've been disrespected by suits and have gone to sleep fantasizing about wiping a system. It felt good. But in the morning, I got up and went to work to get a job done.

Many in IT are bitter for good reason. Most of the IT in my area was layed off 9/12/2001 and a week later offered their jobs back at half what they were making. A few of my friends have trained their Indian offshore replacements. I see jobs advertised that want 5-7 years expert experience in 12 different programming languages, 10 different platforms and a four year degree with a starting salary less than a manager at McDonnalds would make.

What do you do... We're a new profession with growing pangs. It took a centry for doctors to fight off the mid-wife. Eventually, the world will come to accept that computers are important enough that they want the best people and will treat the Admin with the importance that work entails. It's starting. Google does it. Others do too. We'll get there.

-[d]-

Nice work if you can get it

[MillionthMonkey (240664)]

I once worked for a guy who had to maintain some code that a consultant had written several months before. (Ironically this was at a place that handled medical records.) He stumbled across a logic bomb in the consultant's code that hadn't gone off yet. I forget the details but he said it was some sort of obfuscated routine that used a number of inputs, including the timestamp, to produce its outputs, and the timestamp was a legitimate input needed by the routine for real reasons. It was being manipulated with some goofy number in some way to cause an overflow on a certain date, which was still several months away.

So he figures, oh, it's a logic bomb, and not being terribly intrigued by it enough to study it, he just kicked up the number to push the deadline back by a century and left it at that.

Three or four days after the bomb was set to go off, they got a phone call from the guy asking if they had any work for him.

Re:

[somersault (912633)]

It probably does exist, but then you get people like you coming along and posting off-topic that ruin it ;)

Re:seems fair, but...

[demonlapin (527802)]

I'm an anesthesiologist. It's virtually impossible for judges and the lay public to determine, really, whether I committed malpractice (absent blatantly criminal acts). In fact, most doctors would probably need a fair amount of exposition to determine whether or not I committed malpractice (as I would, in turn, if faced with a case from another specialty). And yet we are judged by twelve people who could not escape jury duty. Yes, I'd prefer if I were judged only by my colleagues, and so would you. But if that were the case, nobody would ever trust us. It's the price you pay for having a society.

Re:seems fair, but...

[MMC Monster (602931)]

IANAAIAAC (I am not an anesthesiologist, I am a cardiologist), and I agree.

There are things that you really need a great deal of training to understand, that expert witnesses cannot really stress to a jury. When I get sued for malpractice, I would much rather have a jury of my peers and a physician-judge than 12 guys that were picked up off the street, with jury selection involving a prosecuting attorney that wants to get all the educated individuals eliminated from the jury pool.

Re:

[rk (6314)]

My guess is you're a very good cardiologist, because otherwise you'd know that malpractice is a civil matter and that a prosecuting attorney is not involved in your case at all (at least in the United States).

Or, you're a really bad one, and your malpractice rose to the level of criminal negligence, which is when a prosecutor would get involved. :-P

As an anecdotal counterpoint to your jury selection process: I was on a jury for a medical malpractice case against the surgeon (an appendectomy that went w

Re:Going Sysadmin

[isa-kuruption (317695)]

Yes, but in this case, we are talking about dead people.

The result of the bomb on the server infrastructure would have caused patients to not have their life-saving prescriptions delivered thus putting their health at risk. So, if it had gone off, it is possible there could have been deaths due to his actions.

Re:

[by Anonymous Coward]

because you didn't submit the story when it was hot

ITSALLYOURFAULTFUCKER