“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
Just as a thought exercise, the better kill switch is a dead man switch that is disarmed every month or two until its next run, also one that acts as malicious ransomware that deletes everything including itself and all logs.
Obviously don't do this, because you don't want to be more morally bankrupt than your employer, or your whole argument of righteousness falls apart. The morally righteous never would, because they already know that employment in the US is voluntary for both sides. Also, over time, one would absolutely forget to disarm it.
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
Readit News
Morality aside, that’s kind of hilarious.
Regardless, it should be pretty obvious that if an attacker gains RCE, they can do a lot.
i regularly see orgs with orphan machines running that no one understands or wants to touch
How crazy would it be if he were framed.
Obviously don't do this, because you don't want to be more morally bankrupt than your employer, or your whole argument of righteousness falls apart. The morally righteous never would, because they already know that employment in the US is voluntary for both sides. Also, over time, one would absolutely forget to disarm it.
Tinley plead guilty and got 6 months.
https://www.zdnet.com/article/siemens-contractor-pleads-guil...
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
What an absolute joke.