Posted on 03/11/2025 11:59:28 AM PDT by ShadowAce
We all, at some point, have fantasized about giving our employers a big middle finger on the way out the door, whether we leave on our own volition or are pushed out. Well, a 55-year-old Texas man allegedly built an automated bird flipper in the form of a kill switch that crashed his company’s systems and locked people out of their accounts when he was fired. Satisfying as that may have been, he now faces up to 10 years in prison, according to the Department of Justice, for setting the trip wire on his way out the door.
Here’s the situation: Houston, Texas resident Davis Lu started working for a company headquartered in Beachwood, Ohio back in November 2007. (The DOJ didn’t identify the firm, but a local report from Cleveland.com indicated that it is power management company Eaton Corporation.) After about 10 years on the job, Eaton underwent a 2018 “corporate realignment,” and Lu had his role downsized, seeing his responsibilities and system access reduced, per the DOJ’s account of the situation.
So, Lu used his newfound free time to build systems of sabotage that would get set off if he were ever let go—which, based on what he had just experienced, probably felt likely to him. That included planting malware that created “infinite loops” that deleted the profile files of his coworkers, blocked login attempts, and crashed the company’s systems. He also built a kill switch that, if activated, “would lock out all users,” according to the Department of Justice.
The kill switch, which Lu named “IsDLEnabledinAD,” was designed to check to make sure Lu’s account was enabled in the company’s Active Directory of employees. Assuming it was, everything was fine. But the day that Lu’s name was removed from active status, the kill switch kicked in—which happened on September 9, 2019.
According to the DOJ’s telling, Lu’s code “impacted thousands of company users globally.” In court, Eaton claimed that Lu had managed to cause the company “hundreds of thousands of dollars in losses,” which frankly would probably be pretty satisfying, though Lu’s defense attorneys claimed that Eaton only suffered about $5,000 in damages, per Cleveland.com.
Unfortunately for Lu, it didn’t take too long for Eaton to trace the attack back to him, as they found the malicious code was being executed from a software developer server that Lu had access to and was being executed on a computer using Lu’s user ID. Lu had also deleted encrypted files from his company-issued laptop on the day he turned it back in, and his internet history apparently contained searches for ways to “escalate privileges, hide processes, and rapidly delete files.”
“Sadly, Davis Lu used his education, experience, and skill to purposely harm and hinder not only his employer and their ability to safely conduct business, but also stifle thousands of users worldwide,” FBI Special Agent in Charge Greg Nelsen said in a statement—which is really like, three-fourths of the way to being a pretty good endorsement of his abilities if Nelsen had left it on his LinkedIn profile instead of issuing it as a statement following his conviction.
Lu faces up to 10 years behind bars for “causing intentional damage to protected computers,” though he plans to appeal the court’s ruling.
I once heard of a guy who put raw shrimp in a filing cabinet and then disabled the lock.
Now that’s nasty.
i got RIF’d twice in the 80’s and personally escorted out of the building by the head of security which i found amusing...
Not exactly, LOL. But since the kill switch was named "IsDLEnabledinAD" it's fairly obvious that it was a Windows environment.
Well said.
Me too,
I asked if they would put the Cuffs on me for a Joke.
.
No sense of Humor
They Tazed me.
They didn't. The whole ship still smells like rotten eggs.
nope, no sense of humor at all...
With *NIX, simple enough to do, even without access to a personnel database.
There are lots of one-line commands that will crash the OS. Some also will corrupt all the data in the doing. They teach some of these to junior admins so they know what NOT to do.
So create a daily cron job as the trigger. It tests whether File X has been ‘touched’ in the last 30 days. If the file hasn’t been touched in 30 days, invoke the corruption routine.
First thing every morning on reporting to work, open File X to reset its ‘last touched’ date. If you don’t come to work for 30 days, the cron job takes for granted you want the place burned down and has at it.
Personally, I live in a market that’s small enough that if you were to sabotage a system,it would keep them from getting a job.
Lot of a-holes in IT that’s for sure. I worked for a guy who a lot of people thought was a jerk but he had high standards and if he questioned you, you better have an answer or tell him you’d get back to him with one. He just expected a lot out of folks but it was never personal.
My first IT manager I worked for, his father was a multi-millionaire lawyer who had a building named after him at a university and he had a full auto Tommy machine gun. I never shot it but he took some co-workers out with the stipulation they had to pay for the ammo they shot. Everyone said it was a blast to shoot. e had gone through the process to get all the appropriate licenses and this was back in the late 1980s.
Maybe he got moved around cause he was smart, but had a lousy attitude...
Don’t Windows “updates” and enhancements do the same kind of things to our computers?
Its been done: https://www.computerworld.com/article/1353402/computer-saboteur-sentenced-to-federal-prison.html
Guess I made a lasting impact
True, but he planted the code to monitor if he still worked there, and trigger if not.
Not in this guy’s case, at least.
AND don’t use your initials in the name of the program, AND have it delete itself after it’s done its damage.
Ooh, I’d forgotten about that case. I’m in industrial control systems where Omega was up until that time a significant player so we were aware when it happened.
I used Clarion/Top Speed to create a program that tracked orders through our company. I started it in early 90’s and while it was updated over time, a lot of the code and files were legacy. We had been using the program for about 14 years when the crap hit the fan.
So we went through a merger and, a year later, I found myself being let go. I was the VP of Operations and a minority owner, but the yutzes we had merged with had screwed up, put the company in a financially untenable situation, and somebody had to go. Two of the five owners were cut loose.
When I started writing the program, I made the order number field only 5 characters. I could see that we were approaching 99999 and that I was going to have a big project. There were 17 relational files and a couple dozen data screens and reports that were going to have to be changed. I estimated between 48 and 72 hours to complete the task. We were closed over Christmas break, so I had planned on doing it then. They let me go in November and gave me until the end of the year to train the 5 people that were replacing me.
All that to say I was not motivated to make the update.
A month after I was gone, one of the remaining owners contacted me. He saw they were approaching 99999 and wanted to know what would happen. I explained that the files, screens and reports needed to be updated. We were moving to New Mexico in a week, but I offered to do it over a weekend for $4500. They laughed and said they would handle it.
A year later we were back in town for my Dad’s memorial service. I swung by the old job to see how they were coming along.
The same owner that had asked me about the 99999 situation pulled me into his office. He said that the other owners might not be happy to see me. Without going into details, instead of costing them the $4500 I had offered to do the job, they ended up paying over $45,000 to have it done and it shut down the company for two weeks.
It made me smile.
I retired from an AD IT environment about a decade or so, I am bit rusty on this subject matter. However, it appears to me the person in question had AD Admin privileges and were never removed when he was demoted. If his account privileges would have been limited to just the server he was working on, it is unlikely he would have nuked the company when he left.
I thought it was Su, not Lu??? ;-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.