Ex-Employee Busted For Tampering With ERP System 178
ErichTheRed writes "Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. According to the NYTimes article, a former employee of this company allegedly accessed the ERP system after he was terminated and had a little 'fun.' 'Employees at Spellman began reporting that they were unable to process routine transactions and were receiving error messages. An applicant for his old position received an e-mail from an anonymous address, warning him, “Don’t accept any position.” And the company’s business calendar was changed by a month, throwing production and finance operations into disorder.' As an IT professional myself, I can't ever see a situation that would warrant something like this. Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Beats hitting printer with a baseball bat... (Score:2)
... right?
Re: (Score:3)
Nothing beats hitting a printer with a baseball bat...
...unless it involves hitting a router or server with a baseball bat.
Re:Beats hitting printer with a baseball bat... (Score:5, Funny)
Or rolling the old server off the roof. And video taping it. Through each window the server passes by. And from the ground. In super slow-mo.
Re: (Score:2)
I prefer sledgehammers.
Not implying sledgehammers beat bats for beating gear, just stating a personal preference.
Thermite or a LOx fire is a more impressive display, but nowhere near as cathartic.
Re: (Score:2)
so you abuse your printer every time its out of paper?
Their security processes suck (Score:4, Insightful)
Proves that security is a process, not a product.
I always suspect.... (Score:1, Insightful)
I always suspect that companies in these cases deserve what happens to them, even though the other party in the fiasco demonstrates their own lack of ethical principals.
It's like a psychological glitch, I guess.
Re: (Score:1, Insightful)
Riiiiiight. It's the victim's fault. Clearly. They could have prevented the situation, after all...
Just like it's a hot woman's fault for getting raped... she could choose how she was going to dress, after all...
Give me a break!
Re: (Score:2)
Actually, in the case of running business, there are a lot of "victims" in situations like this. But the business is entrusted with a lot of things and they have been show to violate that trust when they allow things like this to happen. Sometimes these types of trusts are enforced by law such as SOX or HIPPA. Other times it's merely an expectation for which a law may not have yet been written.
Re:I always suspect.... (Score:4, Insightful)
He did not say it was their fault, he said they might have deserved it. Are you unable to read and parse English?
Obviously the IT worker is still a jackass and responsible for the whole thing if the summary is accurate (which it rarely is, but that's irrelevant to my point)
Give me a break with your half-assed sarcastic replies with absolutely no thought put into them.
Re: (Score:2)
He did not say it was their fault, he said they might have deserved it. Are you unable to read and parse English?
I'm curious, by what moral logic does someone "deserve" to lose $90k because of something that was NOT their fault?
Re: (Score:2, Flamebait)
Actually, yes. There's such a thing as guilt through sufficiently gross negligence. For example, if you leave your car unlocked and the windows rolled down with a stack of hundred dollar bills in the front seat, you deserve to walk back to find them gone. Chances are, your insurance won't cover such a loss, because it is, at least in large part, your own fault.
Re: I always suspect.... (Score:2)
Uh, no. The only way you can be guilty of something is if you break a law. If someone gets killed on your property because you created an unsafe condition you may be found guilty of gross negligence (killing someone is against the law). In the scenario you described you are not guilty of anything because leaving your car unlocked with money in it is not against the law. Your insurance company may refuse to pay because you created a higher risk than you agreed to, but that in no way means you are guilty
Re: (Score:2)
You may want to actually check your local laws, here it is Illegal to not secure a vehicle. If you are a real asshole to the cops when reporting someone stole your car or valuables, the cops will remind you that you can be charged with failing to properly secure your motor vehicle. Usually calms the idiots down.
Re: (Score:2, Informative)
yea .... failing to secure a vehicle has nothing to do with locking it. It has to do with making sure it will not move on its own.
A person commits the offense of failure to secure a motor vehicle if the person is driving or is in charge of a motor vehicle and:
(a) The person permits the vehicle to stand unattended on a highway without first doing all of the following:
(A) Stopping the engine.
(B) Turning the front wheels to the curb or side of t
Re: (Score:2)
Re: (Score:2)
It's not that you deserve to find your money gone, it's that - unless you're incredibly naive - you should be unsurprised to find it gone. Important difference.
Gross negligence would be if it wasn't your money, but you had promised to keep it safe - in which case you still would not deserve to find it gone, but you would deserve the owner's ire.
(as an aside, if I saw an unlocked car with the windows rolled down and a stack of hundred dollar bills in the front seat, I'd be looking around for the hidden c
Re: (Score:2)
In both cases it would still be a criminal offence.
Re: (Score:2)
Re:I always suspect.... (Score:4, Insightful)
Re:I always suspect.... (Score:5, Funny)
I always suspect that companies in these cases deserve what happens to them
Did you see the outfit that ERP was wearing? That general ledger module was WAY above it's knee. And I think the CRM middleware was wearing a lot of perfume. Totally asking for it.
Re: (Score:3)
Meh. Everyone has a choice. They can either take responsibility for their actions, or they can be immature and blame other people for them.
100% sure? I doubt that... unless you are saying you are the accused yourself.
Because you see, he's claiming "not guilty", so that would imply he's asserting that he didn't do it. In our society one is innocent until proven guilty, so it makes no sense for anyone other than the accused to be 100% certain of anything in that matter, let alone that he felt he had
Re: (Score:2)
Nonetheless, even if you believe that everything in the universe is completely deterministic, we still appear to ourselves to make completely free-choices, and any determinism that may be involved in such apparent free choices is well outside of our ability to perceive or measure, and so for our purposes, the choices that we make may as w
Re: (Score:3)
I think I just lack empathy for non-humans. Companies aren't people. When they suffer, I just see numbers changing on a ledger.
Re:I always suspect.... (Score:5, Insightful)
I think I just lack empathy for non-humans. Companies aren't people. When they suffer, I just see numbers changing on a ledger.
That's funny...when companies make people suffer that's all they notice too...
Re: (Score:2)
And you somehow have the moral high ground with your own evil desires? I at least know that I'm wrong. You're just a bad person.
how to NOT give everyone passwords? (Score:2, Insightful)
I have yet to work somewhere where the password management wasn't simply a nightmare.
Isn't there some utility that could be added to all systems and unify password management?
Re:how to NOT give everyone passwords? (Score:5, Funny)
Is there a password management unicorn? (Score:1)
>> Isn't there some utility that could be added to all systems and unify password management?
I can tell you've never worked in IT by the fact you asked that question.
Re: (Score:2)
Isn't there some utility that could be added to all systems and unify password management?
Single sign on, and tools like Active Directory aren't just in beta testing, you know?
Re: (Score:3)
...and tools like Active Directory aren't just in beta testing, you know?
Nope; just that it seems like it at times. ;/
Re: (Score:2)
That requires an IT department full of competent people and not just interns hired at $10 an hour. Most systems don't talk well with each other, and require custom code to implement single sign-on. This is especially true of home-grown systems built 20 years ago.
Everybody wants to use a computer. Nobody wants to learn how or at least pay someone who knows how.
Re:how to NOT give everyone passwords? (Score:4, Informative)
Password Management is not the same as access management. In terms of password management, yes, you can standardize all systems to authenticate and authorize from a central system (LDAP, AD, RADIUS, RSA Tokens, etc.) The issue becomes when a person leaves, turn it off and all their access goes away. The issue is for proprietary systems that use things like digital certs, or that do not play well with centralized auth systems (ie. lazy programming in my book for enterprise apps).
As for the other piece, access management, this has to do with the knowledge (and proof) that a person was given access to (and what level of permissions) as well as who approved, and who implemented the account creation/deletion. There are systems which costs millions of dollars to manage access and the subsequent audit requirements around it.
Not Guilty (Score:5, Informative)
He plead not guilty, and he's yet to be convicted, but I can definitely envision a scenario whereby shutting his account off could cause catastrophic failure of many systems. This typically happens when someone does not follow best practices with service accounts and such and is not an uncommon situation.
That being said, he could have been really fucking pissed at them and decided to fuck with shit. Some management out there can be real fuckheads to their employees.
Re: (Score:2)
It's not beyond the realm of possibility for example that the IT department decided to do the damage themselves. Highly unlikely considering the level of damage done of course, but still possible
Re: (Score:2)
What, you can't even change his password?
Re: (Score:2)
a scenario whereby shutting his account off could cause catastrophic failure of many systems
A former administrator did this crap.
My first act was to change the password on the golden privileged account ("administrator" he called it), and then create a least-necessary-privilege account for everything that broke.
A lot of things didn't work at first, but they were all working better than before within a few weeks.
Intentionally breaking it this way also gives unique insight into which users are utilizing which service offering - they'll be screaming about what doesn't work for them. (It's pretty much
Re: (Score:2)
The management/HR answer is usually to give the new worker the old worker's passwords, so they can get stuff done.
He'll never work in IT every again... (Score:2)
Re: (Score:3)
Re: (Score:2)
Well seems the Mgmt did make the right decision on the promotion.
Re:He'll never work in IT every again... (Score:5, Funny)
Because "IT People" are not "Professionals" (Score:1, Interesting)
I have been mulling over this fact for a while now and some conclusions have been forming that I find to be extremely disturbing.
1. Degrees in "IT" are worthless in that they do not pertain particularly well with technology as it seems to evolve very quickly.
2. Degrees in "IT" are worthless because there is no one standard like there is with law and medicine.
3. As a resort against the first two problems, the industry has favored "certifications" but the problem with that is they become little more than fanc
Re: (Score:1)
If software was engineered to a creditable standard, like building a bridge, companies would shit themselves. Costs and timescales would go through the roof, filler developers wouldn't make the grade resulting in salaries booming. Unlike real engineering, software is trivial to update and patch once delivered, therefore, companies desire low quality products because given the choice the price is more important than big costs.
Re: (Score:3)
I don't know where to begin in response to this, so lets take this by point/paragraph.
1) An IT degree is not "worthless" because it teaches you certain technologies. You lean about specific technologies, and yes they change. However learning how a technology works (not just learning how to click a button and wow it works) is the true knowledge you are learning. I learned LDAP and Netware in college, and those technologies are fundamental to how I can look at all authorization technologies today, even tho
Re: (Score:2)
You're making up your own standards and definitions. That's kind of what I was getting at. There's no truly objective standard out there. There are bunches of subjective generalities out there though.
But think about what this lack of solid definitions and standards means now and going forward. The whole world now depends on what IT technologists do and yet there are few if any real standards. There are reputations and beliefs. Even if someone has multiple masters and even PhDs, what does it mean?!
I kn
BUT CS is not IT it more on the programmer side of (Score:2)
BUT CS is not IT it more on the programmer side of stuff and learning LDAP and Netware in college is nice (it's sounds like a tech school) But some degrees are loaded with theory that helps you maybe if you are coding at a low level but in the long run you may be better off learning stuff that is more at the trades / tech school level if you want to DO NON programming IT work and you also need to learn some stuff hands on.
also going up the degree tree becomes more and more about the academic site of stuff w
Re: (Score:2)
One lesson I learned the hard way: Certifications seem meaningless to the IT person and the people immediately surrounding them. However, out of the direct hierarchy, the only thing that matters are those colorful pieces of paper with alphabet soup abbreviations on them.
In fact, I've had jobs where some muckety-muck comes in, demands every single IT person produces certificates to "prove they are capable of operating the equipment." Ironically the most experienced guy in the bunch who has been in the ind
Re: (Score:2)
We had a
Re: (Score:2)
That is the irony of it all. Certs tend to have very little correlation with how clueful a person is. A technically savvy IT person knows enough to blow away the smoke, toss a broken machine in front of a candidate, and say "fix it". Either the guy fixes it, makes a good attempt, or obviously fails. No amount of BS is going to magically create a yum repository or ifconfig an adapter up.
However, when you get to the levels above the IT people, they don't see how good/bad people are at the jobs unless the
Re: (Score:2)
Yeah well sometimes it's not your fault. The employer throws various unrelated projects at you.
My current employer, for example. When I got hired I had to learn a proprietary product that nobody else used; it was an internal project. Afterwards, I got shifted to a team lead position so I had to learn a lot about leading people; then I found an opportunity and moved on to become a Service Delivery Manager, and that's a whole different world. Had to learn ITIL and related stuff. I have even done project manag
Re: (Score:2)
But you can't do modern science if you don't understand the science of 10, 20, 100 years ago. But in IT you can get a functional job despite being poorly educated in the field. Certs are the worst, they're nearly meaningless when viewed alone, but in some fields they're essential to even get in the door. With a million interchangeable employees it doesn't help you to say that you can learn the technology quickly, they want to see a cert that says that you can be a drone instantly. Certs give companies t
Re: (Score:3)
They give you a solid grounding in a subject and give you the skills to teach yourself about the subject.
No they don't; they're paper. As for giving you the skills to teach yourself about a subject? You could have done that from the very beginning.
Certifications are simply a way to prove to a prospective employer that you know the subject.
But they don't do that. Certifications test for rote memorization and not much else.
It's business as usual... (Score:5, Interesting)
ERP (Score:2)
And what is ERP?
Re: (Score:2)
Re: (Score:2, Funny)
Re:ERP (Score:5, Informative)
Enterprise Resource Planning - software that's supposed to be the backbone of a company that handles all business processes, invoices, payroll, inventory, operation scheduling, finance etc, but is usually just a pain in the ass that employees have to endure.
http://en.wikipedia.org/wiki/Enterprise_resource_planning [wikipedia.org]
Petty stuff (Score:2)
As an IT professional myself, I can't ever see a situation that would warrant something like this.
I can see a great many situations. But all of them revolve around people being less than professional. Just because you act professionally doesn't mean your boss will, or your coworkers, or another department that feels threatened by a project of yours, etc. You may not be petty, but a lot of people are.
And that pettiness, in the right set of circumstances, can lead to an otherwise respectable person doing something like this. Human beings have a strong need for vengance. Our judicial system is based on it,
Re: (Score:2)
It's however not applicable in this particular case. The guy was a jerk from start and he just continued to act as such. Or at least that's what I got from TFA.
Wonder if (Score:3, Funny)
Re: (Score:3)
No. He would have burned down the building, if that were the case.
ERP? (Score:5, Funny)
Re: (Score:2)
Boom de-yadda, if you know what I mean.
Resignation == Termination? (Score:5, Informative)
I actually bothered to read the article, and the ex-employee in question RESIGNED by giving two weeks notice after being repeatedly passed over for promotion.
Maybe in this day in age, we are now suposed to refer to anyone leaving a company as being terminated, but I for one think there is a profound difference between terminating an employee vs their departure on their own accord.
With that said -- seeing that this guy was butt-hurt enough to leave and commit these acts against his employer shows that he wasn't working with a full-deck.
So I don't think the employer "had it coming" or provoked it -- since they seemed happy enough to employ him, but just didn't see him fit for a higher level position.
Re: (Score:2)
Second this; when someone resigns, their employment with the company is terminated.
Why can't the submiter RTFA before posting? (Score:5, Informative)
Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. (...)allegedly accessed the ERP system after he was terminated and had a little 'fun.
You go, RTFA and this is how it starts..
But after Mr. Meneses was passed over for promotions, he was upset enough to announce his resignation, giving two weeks’ notice. Before his final day in January 2012, colleagues caught him copying files from his computer to a flash drive, the authorities said. They cut off his access to company servers.
So, first of all, he was not terminated, he was mad and left the company. He was still on his two weeks' notice, so, in theory, had legetimate reasons to access the servers. When the company saw an srange behavior, they cut his access. So, looks like a case of a pissed up asshole who decided to go out with a bang and got busted for it.
Re: (Score:1)
You think that is bad?? (Score:5, Interesting)
At a small company I worked for years ago there was a tendency to fire accountants (who simply didn't agree with the CFO). Turns out the CFO was embezzling funds and a number of folks just didn't want to go along with the program. So one day the CFO fired this one accountant and it was pretty bitter.
As the IT director I had advised the CFO many months earlier that IT needs to oversee all the software and accounts in the company as it is a security matter. He agreed to all but the accounting software and its controls (he didn't want anybody seeing his criminal ways).
So one day after firing the accountant, someone writes a $1,000,000 dollar check to a customer and it gets processed. Suspicious turns to the accountant having access, but there is no proof. The CEO and CFO both stop by my cubicle complaining how could this happen?? I simply told them you advised me several months back not to put the accounting software or user accounts under any IT control, even after I had warned you of the security dangers. We can't firewall a separate system that IT is not in charge of or have credentials to... Frustrated they walked away, annoyed like they couldn't blame someone for their stupidity.
I kind of felt sympathy for that accountant, although he probably should of contacted the authorities. I had not way of knowing, except rumors you hear. Pretty ballsy, but that's what happens when suits have their ego and lack of ethics... Eventually there was an investigation on the books and things flew wide open. I left the company prior to it hitting the fan.
I really don't understand people who do that (Score:4, Insightful)
Why do people ever think that it's a good idea to leave a trail of destruction behind them?
It doesn't make you clever, you're just abusing access. Any idiot screw things up.
There's a huge potential downside for you: if you get caught, you face prosecution, or at the very least, a negative recommendation.
And obviously there is no upside for you. It's not like your tantrum is going to get you that job/promotion/whatever. You want them to miss you because they used to have such great quality work products from you, and now they don't have them anymore.
Awesome work, not tantrums, is what will keep you in a happy professional career.
Re: (Score:3)
Why does a dog lick his balls. Because he can...
Re: (Score:2)
Why does a dog lick his balls. Because he can...
An apt comparison.
If your dog is licking his balls excessively, it could be a sign of skin irritation, infection, or injury. In other words, if your dog is really going to town on his balls, that means that there's probably something wrong with him.
Similarly, if an IT "professional" abuses his authorities to wreak havoc on an organization, there is probably something wrong with him, too.
Re: (Score:2)
Annnnd here's my favorite out of context /. quote of the week (year?).
Re: (Score:3)
Annnnd here's my favorite out of context /. quote of the week (year?).
It's only May.
Re: (Score:2)
You've never felt the urge for revenge even though it won't really benefit you? You've never had anyone steal from you, destroy your property, assault you, cheat on you, backstab you or in some other way made your life miserable and just wanted to make them miserable in return? Yes, usually "it's not worth it" wins but I find it strange if you've gone through life without ever tasting that rage. When I discovered that my car had been vandalized for no reason, if the perp had still been there then I think I'
Re: (Score:2)
Awesome work, not tantrums, is what will keep you in a happy professional career.
You should create inspirational posters!
Re: (Score:2)
There's a huge potential downside for you: if you get caught, you face prosecution, or at the very least, a negative recommendation.
You mean when you get caught, not if. The money men have enough money to hire anyone they need to both (a) tell them what happened and (b) who did it and (c) fix it. You can bet that they won't mind paying extra to settle the score with you after something like this. In such a case a negative recommendation is going to be the least of your worries.
Proper procedures (Score:2)
Proper procedures for any IT or security dismissal (or really, for anyone with access to sensitive/proprietary information) is escorting them from the building, disabling their access while they are being told that they're terminated. Any external access they have is revoked by the time the get to the front door; any shared accounts they know (like root, su or domain admin) have their external access suspended until the passwords can be changed. Collect their IDs, corporate cell phone, USB devices, etc. bef
Re: (Score:2)
When I was preparing to give my employer three (rather than two) week's notice, I was fully prepared to be shown the door that very moment, and got all my ducks in a row just in case. As it turns out, they kept me on. But when I gave my manager my formal resignation, I also gave him a note saying (essentially), "I have accounts on the following systems.... for everyone's protection, please see that they are disabled as soon as is appropriate."
Re: (Score:2)
Re: (Score:2)
While commonly held to be good practices, many of the actions listed are actionable -some are even criminal. Be very sure you know where you stand legally before attempting to detain someone against their will, or to deprive them of their personal property. Most likely you will be fine, but all it takes is one person asserting their rights, and someone overzealously acting on the company's behalf, and you have a serious problem.
Re: (Score:2)
You disable all but base corporate access to systems. You have the person who is leaving begin the knowledge transfer (or if you are a decent company, you were doing it already) and have all the information put on team shares, etc. So the person still does not have access to any mission critical systems, only has email and basic network share access, and then they can do nothing but damage their PC (which will be ghosted anyways) and maybe some file share or email servers. None are mission critical (yes,
Re: (Score:2)
"Thank you for your service! Here's two weeks paid leave. Since you won't need to log in during your leave we'll go ahead and disable your account."
My take: IT will never be "professional" (Score:2, Insightful)
There are two things that really bug me about this story and stories like this:
One of the things I would really like to see before I retire is the ability of IT / systems engineering to grow up a little bit and attain the same level of recognition that professional engineers enjoy. I'm old and curmudgeon-y at 38, but one o
Don't piss off the people you are firing (Score:2)
They always have insider-knowledge. They always can do serious harm.
Treat them with respect, justify the firing rationally, help them find a new job, give them a good recommendation, etc. And once you do that, your risk of them sabotaging you drops tremendously. If you treat them like trash, they will not retain any shred of loyalty to you. Rather obvious, I would think.
Interestingly, in many civilized countries, you routinely stay on and work after having gotten a termination notice or resigning until the
Re: (Score:2)
What about this article, where the guy quit of his own volition?
Re: (Score:2)
Don't piss of employees? Rather obvious again...
While this guy was an *sswipe... (Score:5, Insightful)
Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Sorry, but nothing, and I mean nothing, compares with the the bad reputation the executive suite has with everyone one. Psychotic bastards, the lot. Have you forgotten the whole banking fiasco that caused a massive economic meltdown? So, I think if anyone has a reputation to fix, it is upper management.
Re: (Score:2)
Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
Sorry, but nothing, and I mean nothing, compares with the the bad reputation the executive suite has with everyone one. Psychotic bastards, the lot. Have you forgotten the whole banking fiasco that caused a massive economic meltdown? So, I think if anyone has a reputation to fix, it is upper management.
Rich means never having to say you're sorry.
It's not just IT (Score:2)
There are plenty of operations in the business world where people can fuck over the company they're working for. Sales people sometimes take customers from place to place, mechanics may do stuff that only "they can repair", HR folks and bookkeepers could make or document minor discrepancies and either use blackmail to keep a job or report everything to a state inspection agency.
It's the same problem if you don't deactivate access cards or change keys - you can still come on the property without raising atte
What the fuck is ERP? (Score:2)
Would it kill you to at least use the full phrase once in the summary so we know what it's about?
Re: (Score:2)
'Enterprise Resource Planning' honestly doesn't say anything about what it's for or what it does, either. You're on slashdot. If you can't be arsed to goog some TLA's, you're going to have a bad time!
Think "integrated system with all of your business processes in it" like AP, AR, Payroll, Invoicing, etc. You should already know what it stands for if you are in IT.
Re:ERP (Score:5, Insightful)
Derp is right... no better way to destroy any hope of a career, than to do something monumentally stupid like this.
I've left positions that have been, to put it charitably, crap. Once it involved hard feelings against an asshat that destroyed the department.
OTOH, the golden rule is to never touch the machinery. EEOC and labor laws be damned, HR critters do talk to each other; even if your stupid stunt never made the news, it will make the rounds. Rest assured this guy will have to move to the other part of the country at the very least.
Re: ERP (Score:3)
Re:ERP (Score:4, Informative)
Re:ERP (Score:4, Funny)
Re: (Score:3)
Ask a friend to pretend to be a prospective employer, let them ask the questions by email (so you have it black on white)
If they reply in a negative fashion, then you sue the bastards.
Re: (Score:2)
If they reply in a negative fashion, then you sue the bastards.
Depends - if the negative reply is the truth (without embellishment), you can't sue them for a damned thing in most states.
Mind you, this includes things like "we let him go because of successive negative performance reviews" and such.
Employers get the same protections from libel/slander suits that individuals do. If they have a paper trail and witnesses, they can and will prevail. By the way, there's another hazard of getting all lawyer-happy: The lawsuit makes that negative stuff public record, especially
Re: (Score:2)
You have a very rude surprise ahead of you.
Re:ERP (Score:4, Insightful)
Then I would say his actions after he quit may provide a good clue why he was passed over for promotions.