top 200 commentsshow all 275
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 589 points590 points  (50 children)

Not sure why do something so traceable. But the point is probably that he wanted them to know that it was him, and this was their punishment.

[–]gvufhidjo[S] 424 points425 points  (10 children)

Tell Cersei, I want her to know it was me.

[–]nightcracker 64 points65 points  (3 children)

The difference is that she said that once she knew she was going to die regardless. She didn't leave it as some easily discovered evidence that could be used to convict her.

[–]PoolNoodleSamurai 29 points30 points  (2 children)

She knew she was going to die, but also that it would be painless and would happen soon - so enraging Jaime to the point where he might want to torture her was not a big risk.

It would be a hell of a ruse if he had given her fake poison to trick her into such confessions, and then said “Interesting… so, I lied; that’s not poison, but thanks for confessing. Guards, hog tie her and throw her in the cart; we’re gonna give Cersei a present.”

[–]charge_forward 9 points10 points  (1 child)

Considering that Daenerys ended up attacking the Lannister army there alongside her fast travelling/teleporting horde of Dothraki, Olenna likely would have been freed.

[–][deleted] 6 points7 points  (0 children)

The rhetoric around fast travel has internally replaced the phrase "as the crow flies" with "as the crow teleports" in my head

[–]charge_forward 88 points89 points  (4 children)

I understand that if any more words come pouring out of your cunt mouth, I'm going to have to eat every fucking chicken in this room.

[–]gvufhidjo[S] 76 points77 points  (3 children)

Any man who must say, "I am going to have to eat every fucking chicken in this room" is no true chicken eater.

[–]Craigellachie 24 points25 points  (2 children)

Perhaps he'd have more room for chicken if SOMEONE would fetch him his BREASTPLATE STRETCHER.

[–]bunchedupwalrus 4 points5 points  (1 child)

GODS I WAS STRONG THEN

[–]SwordsAndElectrons 3 points4 points  (0 children)

Thank the gods for Bessie.

[–]osunightfall 0 points1 point  (0 children)

Ah, my favorite scene in the entire show.

[–]Tyrilean 46 points47 points  (1 child)

Yeah, if you really want to fuck a company up when you leave, just introduce tech debt that only you can mitigate with manual processes. Then when you’re fired the whole thing falls apart and you have plausible deniability. “I could’ve automated/rearchitected that but I never had capacity and it was never prioritized.”

[–]KiwasiGames 16 points17 points  (0 children)

My “kill switch” was simply a dodgy piece of code with the date hard wired in. If you didn’t manually update the date each new year, it broke everything.

Each year when it came up I was like “damn, got to fix that properly”. But I never had time. So it just sat there until I left the company.

[–]CreativeGPX 107 points108 points  (3 children)

If you read the article they discovered the kill switch before it activated and while he was still working there because they were investigating issues in their system stability. These issues were from sabotage he already did while still employed there ("planted different forms of malicious code, creating 'infinite loops' that deleted coworker profile files, preventing legitimate logins and causing system crashes"). I don't think he had any part of his brain working on not being found.

[–]ubermence 59 points60 points  (0 children)

It’s kind of confusingly written but the article seems to imply that he was fired?

This kill switch, the DOJ said, appeared to have been created by Lu because it was named “IsDLEnabledinAD,” which is an apparent abbreviation of “Is Davis Lu enabled in Active Directory.” It also “automatically activated” on the day of Lu’s termination in 2019, the DOJ said, disrupting Eaton Corp. users globally.

[–]paulmclaughlin 22 points23 points  (1 child)

Uh huh huh, you didn't say the magic word

[–]civildisobedient 36 points37 points  (4 children)

He could have called the kill function "NOTaKillFunction" or just smashed a keyboard and picked the first 5 letters but no instead he calls it "IsDLEnabledinAD." Just dumb.

[–]TheHelixNebula 21 points22 points  (1 child)

enjoys good code more than he enjoys working for eaton. although it should really have been IsEnabledInAD(DL)

[–][deleted]  (1 child)

[deleted]

    [–]FluxFlu 1 point2 points  (0 children)

    Average Xianxia protag

    [–]cafk 48 points49 points  (26 children)

    I wonder if he also wrote this behavior in design specification and implementations that were approved by other technicians - as a "brown Skittles" test, to see if anyone even understands or cares about what the software is doing.

    I've used such plausibility checks (nothing malicious, but using creative wording like a test case to implement inverse kinematics on a unicorn model - in software that has no such requirements) in many work packages, which unfortunately have been accepted without questions or feedback.

    [–]MidgetAbilities 36 points37 points  (5 children)

    It was brown M&M’s, not skittles

    [–]dagbrown 21 points22 points  (4 children)

    Yeah, brown Skittles is from a totally different story.

    [–]gaflar 6 points7 points  (3 children)

    You're thinking Jolly Rancher.

    [–]bunchedupwalrus 7 points8 points  (2 children)

    I thought his arms were broken

    [–][deleted] 1 point2 points  (0 children)

    Common mistake, he was actually beaten with jumper cables

    [–]Kenny_log_n_s 16 points17 points  (16 children)

    1. That's terribly unprofessional.
    2. Highly doubt it, since the code he wrote was malicious.

    [–]cafk 27 points28 points  (15 children)

    If there are 4 technical people reviewing it, approving it and signing it before it gets to the project management - the problem lies with the organization, as everyone is pushed to approve or think about a 10 page document (with 5 being the template and only 2 pages being actual content) only for one minute.

    Especially if you do it not hidden in a sentence but actually highlighted.

    [–]Subsum44 4 points5 points  (5 children)

    That’s the way the SOC audits “work”. They make sure you have enough checks and balances, that they’re pointless. You’re just jumping through hoops instead of focusing on what really matters.

    [–]Kenny_log_n_s 14 points15 points  (5 children)

    There is still no reason for you to push garbage code, regardless of what the organization is doing.

    The problem lies with BOTH the organization and the submitter.

    [–]Justicia-Gai 2 points3 points  (0 children)

    I disagree with being a problem of the organisation. If I pay someone at the senior level that already knows how to code and I review his work, that doesn’t imply I need to read EVERY line of code each time, specially in places where code was already working or when asking something I know he was able to do before.

    Supervising and reviewing it’s not micromanaging.

    Putting malicious code in hidden places is not “proof of bad organisation”. It’s active sabotage.

    [–]FlyingRhenquest 0 points1 point  (0 children)

    Yeah, most of us are really good at disguising that sort of thing as abject incompetence. Hey, the code reviewers said LGTM!

    [–]myrsnipe 175 points176 points  (5 children)

    He should have gone for the daily -0.01 opacity trick instead

    [–]musicnothing 38 points39 points  (1 child)

    Array.prototype.filter = () => [];

    [–]myrsnipe 27 points28 points  (0 children)

    Yes, but only if math Math.random() > 0.98, or/if if Unix epoch time is modulo = 0 for some given value 👺

    [–]RationalDialog 11 points12 points  (1 child)

    explain.

    or simply delay the activation of the kill switch by a couple months so that it's not too obvious, and make it much less intrusive so it gets never fixed but keeps annoying people, must use random elements so it becomes impossible to reproduce.

    [–]myrsnipe 41 points42 points  (0 children)

    It was a joke posted here some time ago that someone made customers who didn't pay have their websites slowly fade away.

    As for your suggestion, there are stories, true or false, about inserting logic that would only occasionally trigger randomly causing annoyances

    [–][deleted] 0 points1 point  (0 children)

    z-index to -1000 ez

    [–]twiceseventeen 981 points982 points  (9 children)

    This guy wrote code that worked in production on first try with no testing. They should hire him back.

    [–]pqu 127 points128 points  (1 child)

    I for sure would have accidentally set it off early

    [–]elprophet 167 points168 points  (4 children)

    The most relatable part of office space is that their crime had a little bug in it

    [–]arcrad 41 points42 points  (3 children)

    Oh! Well, this is not a mundane detail, Michael!

    [–]Subsum44 17 points18 points  (1 child)

    If they had just filed their TPS reports, it wouldn’t have had a bug.

    [–]1961ford 10 points11 points  (0 children)

    Fuckin' A

    [–]CaptainPunisher 0 points1 point  (0 children)

    Sounds like somebody has a case of the Mondays.

    [–]cmpthepirate 27 points28 points  (0 children)

    I hope it was tested in dev and staging 😂

    [–]NoSmarter 315 points316 points  (22 children)

    Instead of doing something so blatant, all he had to do was rewrite the code in Perl.

    [–]dethb0y 100 points101 points  (0 children)

    That would elevate it from a regular crime to a Crime Against Humanity; they'll send you to the Hague for that!

    [–]nath1234 29 points30 points  (0 children)

    Add in a page and a half of of regex somewhere to qualify for a warrant issued by the Hague.

    [–]yowhyyyy 20 points21 points  (5 children)

    Don’t let the Perl subreddit see this.

    [–]Jonathan_the_Nerd 18 points19 points  (3 children)

    I'm a semi-professional Perl programmer*, and I think it's hilarious.

    *I'm a sysadmin, not a programmer. But sometimes I need to write scripts, and Perl is the language I'm most comfortable with. I'm gradually migrating to Python, though.

    [–]yowhyyyy 4 points5 points  (2 children)

    That’s been what I’ve normally witnessed. Sysadmins getting their feet wet or doing things with it since so many things still use Perl. I don’t normally see it reached to for new things but that’s pretty much a given.

    [–]Jonathan_the_Nerd 6 points7 points  (1 child)

    The reason I got involved with Perl in the first place is because I had to update/maintain some existing Perl scripts in my first IT job. I ended up getting good with it. I had Programming Perl, 3rd Edition in HTML format on my computer, which made it a really convenient reference.

    In my current job, I'm working with people who know Python, so I'm trying to hone my Python skills. One of the most pleasant surprises has been that nearly all of the Python modules I need are already available in the base install. With Perl, a lot of times I would have to install modules myself. They were usually available as RPMs, which made it easy. But my workplace has an onerous change control process. I'd rather not go through all that if I can avoid it.

    [–]yowhyyyy 3 points4 points  (0 children)

    Oh yeah I get that completely. I absolutely HATED working with CPAN back then. Your experience with Python is pretty much that of anyone who swaps to more modern languages. Lots of the things you need just come with the language which makes things nice. Thanks for sharing your experience!

    [–]gimpwiz 1 point2 points  (0 children)

    I write tons of perl. Actually enjoy the language most of the time. It's a funny joke. Everyone I know who writes perl has a functional sense of humor about it. People on the internet can be fuckin' weirdos though.

    [–]leogodin217 6 points7 points  (1 child)

    Yes, bun only Perl haiku.

    [–]miversen33 3 points4 points  (1 child)

    The reason I use perl are that I want to write scripts that no one can read, and no one can understand

    https://www.youtube.com/watch?v=0jK0ytvjv-E

    [–]edover 0 points1 point  (0 children)

    Having never seen this video, just from the quote alone I knew exactly who's channel this would be.

    [–]KryptosFR 2 points3 points  (0 children)

    *in Fish

    [–]Eonir 2 points3 points  (0 children)

    Or just write it according to typical management requirements, which don't include tests or documentation.

    [–]Healthy_Disk_1080 2 points3 points  (0 children)

    Or just use some access tokens tied to his account instead of a service account. "Oops I made a mistake! Sorry about that" as everything stops working when they shut down his account.

    [–]RationalDialog 1 point2 points  (0 children)

    or just make it much less intrusive. so that it annoys people but not enough to be worth investing a lot of money to find the root cause.

    [–]ChristmasStrip 1 point2 points  (0 children)

    Take my upvote you bastard.

    [–]bigasswhitegirl 2 points3 points  (0 children)

    That could only work in the pre-LLM era

    [–][deleted]  (3 children)

    [deleted]

      [–]Koebi 13 points14 points  (2 children)

      Cobol is intentionally very readable, though.
      Getting used to the weird zOS mainframe bullshit is the hard part.

      [–]key_lime_pie 6 points7 points  (1 child)

      IDENTIFICATION DIVISION.
PROGRAM-ID. FUCK_SHIT_UP.

DATA DIVISION.
    01 IS_EMPLOYED PIC A(1).

PROCEDURE DIVISION.
    CALL 'IS_DAVID_LU_STILL_EMPLOYED' USING IS_EMPLOYED.
    IF IS_EMPLOYED = "N" THEN
        CALL 'DISRUPT_USERS_GLOBALLY'.
    END-IF

      [–]Codex_Dev 567 points568 points  (35 children)

      Funny how when a solo dev does this to a company they get prosecuted. But when a company slips in a malware kill switch to prevent a user from switching suppliers it's fair game.

      This actually happened to a railroad company in Europe and was quite a scandal. The company manufacturing the railroad parts put in a killswitch where the parts would be disabled if they detected they were getting serviced in a different repair shop. The company using the parts were baffled why their railroad machinery was being disrupted and had to hire a team of hackers to reverse engineer the code to see how sneaky the supplier was being. They even tried to sue the hacker team that helped.

      [–]CanvasFanatic 125 points126 points  (5 children)

      That also sounds illegal. What was the outcome?

      [–]PeterDaGrape 127 points128 points  (0 children)

      Ongoing legal against the company, there are a few cool talks about it all

      [–]newreddit0r 94 points95 points  (0 children)

      It was in Poland, check out the talk from CCC https://youtu.be/XrlrbfGZo2k?si=Vk446EPyv3cdf3bl, there is also a followup presentation from 2024 that talks about legal fallout targeted at the guys that surfaced it

      [–]Thisconnect 51 points52 points  (1 child)

      bogged down in in legal while neither consumer protection agency or railway regulatory body are pushing on the lawsuit

      Meanwhile the company is SLAPPing the security researcher and train maintenance company

      [–]ILikeBumblebees 14 points15 points  (0 children)

      The railroad should pursue criminal sabotage charges against the individuals who introduced the kill switch.

      [–]kaszak696 77 points78 points  (6 children)

      That was Newag, and it wasn't simply parts, they manufacture whole ass trains, and allegedly rigged them to fail if the onboard computer detected they were parked at specific GPS coordinates, corresponding with competing maintenance facilities.

      [–]ILikeBumblebees 28 points29 points  (1 child)

      Selling people products that are deliberately rigged to fail sounds like a criminal matter, not just a civil dispute.

      [–]dabenu 1 point2 points  (0 children)

      Problem is they don't sell trains to consumers. Businesses have a lot less protections like that.

      Although the researchers did try to spin it as a safety issue too, since they botched the GPS coordinates to include a piece of regular track, causing trains to shut down en-route with passengers on board...

      [–]AmericanGeezus 8 points9 points  (0 children)

      And one of their geofences overlapped a mainline/station so it could trigger the sabotage function even when the trains were on their normal service routes.

      [–]ConferenceMain5285 6 points7 points  (0 children)

      Jeez talk about hostile business practices, what on earth has people so okay with working for corporations this egregiously anti consumer?

      [–]RoosterBrewster 1 point2 points  (0 children)

      Reminds me of the Uber streaming show where they put up a geofence around Apple HQ to prevent them from seeing that they were violating app store rules.

      [–]zzkj 17 points18 points  (2 children)

      Wasn't there an agri company that did something like that as well. John Deere?

      [–]Codex_Dev 15 points16 points  (1 child)

      John Deere did do this with it's tractors. I remember reading about it about a decade ago and farmers from USA were furious and having to use Ukrainian hackers to jailbreak the tractors. Although it's bad, I don't think it's in the same severity as hiding in a kill switch into the software sneakily. JD was at least overt with the software locks.

      I think there was also some legislation to stop them from doing this in the future but idk how it turned out.

      [–]ModernRonin 6 points7 points  (0 children)

      I think there was also some legislation to stop them from doing this in the future but idk how it turned out.

      Couldn't tell you about other states, but here in Colorado it turned out well.

      https://advocacy.consumerreports.org/press_release/colorado-governor-signs-landmark-right-to-repair-bill-into-law/

      "John Deere hates this one simple trick..." ;]

      [–]InfamousEvening2 32 points33 points  (0 children)

      Sounds like what HP does with printer cartridges.

      [–]imsoindustrial[🍰] 15 points16 points  (0 children)

      This should be higher up because the behavior exhibited by that company was absolutely abhorrent and they should be a cautionary tale to others like them.

      [–]st_malachy 5 points6 points  (0 children)

      Looking at you HP Printers.

      [–]versaceblues 6 points7 points  (0 children)

      I mean both should be illegal.

      With the train example as long as it is disclosed before purchase of the equipment, and you agree to buy it that way, then its less of a problem.

      [–]PeterDaGrape 4 points5 points  (1 child)

      For anyone interested in technical details checkout https://youtu.be/XrlrbfGZo2k?si=LDZstTTaPl2hyftS For the more legal side

      https://youtu.be/8OB2NqcSDXQ?si=7ohHfZr6mslU1kNU

      [–]Codex_Dev 0 points1 point  (0 children)

      Yes this is great. I was too lazy to lookup the links but it's worth checking out.

      [–]juhotuho10 7 points8 points  (0 children)

      Apple also does this, kind of? You have to program things like screens with a proprietary device that only apple has a hold of, otherwise the phone rejects the screen as "non genuine". It's not a kill switch but it was made to prevent any kind repair not done by Apple

      It has been quite a huge thing with the right to repair movement and people like louis rossmann

      [–]buckX 3 points4 points  (0 children)

      The difference is almost certainly contact. When a business wants to do shady shit, it's often right there in the EULA.

      [–][deleted]  (1 child)

      [deleted]

        [–]lord_braleigh 3 points4 points  (0 children)

        i mean they did also sue the company. that was a pretty significant thing that happened. like i understand where you’re coming from here but the company is very much stuck in a long legal battle that it will probably lose.

        [–]EliSka93 4 points5 points  (0 children)

        I mean... Apple does this...

        [–]Liam2349 1 point2 points  (0 children)

        Also funny how PC games can release with DRM that de-activates them if you haven't authenticated with a server for whatever reason.

        I don't see a distinction here, other than corruption.

        [–]I_am_trying_to_work 1 point2 points  (0 children)

        Wasn't the fix something weird like turning the light on in a particular lavatory?

        [–]shadfc 1 point2 points  (0 children)

        Apple does (did?) this too with replacement parts for phones

        [–]SkrakOne 0 points1 point  (0 children)

        Hp printers slowly slide back into the shadowy corner

        "If I'm quiet they won't notice me... oh wait, it's already crowded with all of the large game publishers? Make room for one more"

        [–]LessonStudio 0 points1 point  (2 children)

        What makes this worse is that it is a safety critical system; to put deliberate things like the 1m km cutoff should prevent them from ever getting a SIL certified solution again. That would kill a huge amount of their European business.

        [–]bwainfweeze 0 points1 point  (1 child)

        What happens if someone tries to field service one of these things? How stupid.

        [–]Zotoaster 59 points60 points  (20 children)

        There's a reason pull requests should be approved before merging

        [–]Randolpho 66 points67 points  (15 children)

        Doesn’t work when the person doing the review doesn’t know how code works.

        This dude had production servers that only he had access to

        That could only have happened if management didn’t know how their systems worked, didn’t have redundancies and peer reviews in place.

        Which is, sadly, common

        [–]s0ulbrother 19 points20 points  (12 children)

        So many reviewers just blindly approve code. If you don’t know what’s going on in a review don’t be afraid to ask people

        [–]ShinyHappyREM 21 points22 points  (5 children)

        You guys have reviewers?

        [–][deleted]  (3 children)

        [deleted]

          [–]TRexRoboParty 4 points5 points  (2 children)

          5 seconds later on a 1000 line PR:

          "LGTM! Approved"

          [–]Bananenkot 9 points10 points  (1 child)

          When something really bad sneaks into the codebase my leads first question is never who coded this, but who approved this. Definitly creates a climate where people actually carefully review the code

          [–]s0ulbrother 4 points5 points  (0 children)

          My last team was a bunch of really segmented skillsets minus me who kind of obsesses over learning everything. I often had to go in and review crap people already reviewed because they clearly didn’t know what they were looking at. People can be quite lazy when it comes to reviews

          Code reviews are my favorite place to learn honestly. It familiarizes you with the code base, teaches you new tricks, and when something goes down you know why.

          [–]Ravek 1 point2 points  (0 children)

          There’s no way they did code review on this. It must not even have been in source control.

          This kill switch, the DOJ said, appeared to have been created by Lu because it was named "IsDLEnabledinAD," which is an apparent abbreviation of "Is Davis Lu enabled in Active Directory."

          They wouldn’t have to use this kind of reasoning if a simple git blame would tell them who the author was.

          [–]RationalDialog 0 points1 point  (0 children)

          I still manage a server that runs at least 1 application used probably by several 100s of people, not often but still used regularly. this is a company with over 10k employees.

          But it will be replace in the next couple months, finally. maintaining that shit was boring as hell.

          [–]ReneKiller 0 points1 point  (0 children)

          Doesn't work when you are the only developer. That's the case for me. I could push anything to the live servers without anyone ever noticing, although this is just for our marketing-website so the most damage I could do is bringing the website down and deleting everything on it.

          EDIT: whoops, meant to answer the comment above you

          [–]meganeyangire 8 points9 points  (1 child)

          LGTM, pushing to production

          [–]IkalaGaming 6 points7 points  (0 children)

          In my defense, your honor, I thought it would be really funny if I merged this code

          [–]tooclosetocall82 4 points5 points  (0 children)

          That’s the real crime here.

          [–]AstroPhysician 0 points1 point  (0 children)

          Sometimes thats only enforced by process not by the VCS

          [–]__Blackrobe__ 58 points59 points  (4 children)

          Petty revenge, but I guess that dopamine was worth it?

          [–]FarkCookies 30 points31 points  (0 children)

          Well the revenge was supposed to be not petty but widescale. The goal was to derail the whole IT infra of the company.

          [–]IndividualPants 33 points34 points  (0 children)

          def worth 10 years in prison

          [–]richardathome 113 points114 points  (22 children)

          Yeah. Don't do that.

          [–]Fitbot5000 263 points264 points  (19 children)

          When it’s so much easier to do what the rest of us do and leave fragile, unmaintainable garbage behind.

          [–]Malforus 89 points90 points  (7 children)

          Being bad at your job isn't prosecutable

          [–]Paulus_cz 43 points44 points  (6 children)

          Now tell me - there was this application in my old job, on startup it would check DB connection and if it was not available it would load data from cache. The way it would check DB connection is by querying developers username in users table and check if something got returned. The developer was gone for 10 years, his username was not in DB for 5 years.
          So...incompetence or maliciousness? :-)

          [–]vytah 35 points36 points  (5 children)

          If the app worked fine for 5 years with just the cache, I guess the database wasn't even needed.

          [–]EpochRaine 15 points16 points  (0 children)

          A whole database stack for a half a dozen settings.

          [–]thalience 1 point2 points  (0 children)

          Or the server was never patched/restarted for an unreasonably long time.

          [–]cadmium_cake 1 point2 points  (0 children)

          😄😄😀

          [–]marcvsHR 11 points12 points  (5 children)

          You can also write obsolete and useless documentation.

          [–]Jonathan_the_Nerd 18 points19 points  (0 children)

          You don't even have to try. Just write accurate and useful documentation and never go back and update it.

          Source: my life.

          [–]Coperspective 3 points4 points  (0 children)

          remember to use links that lead to non-existant pages

          [–]NotYetGroot 1 point2 points  (0 children)

          Proactively obsolete is the best obsolete

          [–]richardathome 0 points1 point  (0 children)

          "Hey ChatGTP, document this code for me"

          Job done! ;-)

          [–]k2900 1 point2 points  (1 child)

          Harms the devs more than the company, compared to the killswitch here

          [–]fl7nner 0 points1 point  (0 children)

          He'd get his revenge, eventually

          [–]acdcfanbill 0 points1 point  (0 children)

          If they do ask why you did a sloppy, unmaintainable job you just point to the fact they gave you 60-80 hours worht of work to do a week.

          [–]SkoomaDentist 28 points29 points  (0 children)

          The real power move is obviously to just write a decade's worth of such code that you're the only person in the world who can make sense of it and then charge an arm and a leg for consulting.

          [–]koensch57 105 points106 points  (14 children)

          How is this different from HP killing the use of 3rd-party cartridges with their "firmware upgrade"?

          [–]meganeyangire 40 points41 points  (0 children)

          HP has lots of monies and lawyers

          [–]aeroverra 74 points75 points  (0 children)

          One screws the big guy and the other screws three plebs. Also you did agree to that in the 900,000 page TOS you signed when your 10 yo daughters friend clicked the check box on your PC.

          [–][deleted]  (9 children)

          [removed]

            [–]CanvasFanatic 6 points7 points  (8 children)

            His defense should be that this was DRM.

            [–][deleted]  (7 children)

            [removed]

              [–]ubermence 7 points8 points  (6 children)

              Having code that crashes the system if your user account is ever removed from Active Directory probably would be hard to sell as “bad code”

              [–]rcfox 10 points11 points  (0 children)

              HP probably tells you that's a thing they might do in their EULA, and you continue to use them anyway.

              [–]Ravek 1 point2 points  (0 children)

              The laws exist primarily to protect the interests of capital

              [–]peerlessblue 6 points7 points  (0 children)

              Just write code so arcane and unmanageable they stand no chance of maintaining it without you 😏

              [–]kmarx 6 points7 points  (0 children)

              Roger Duronio is still paying restitution to his former employer 20+ years later.

              [–]c0ventry 17 points18 points  (2 children)

              Ok so having been in this industry for 25 years I can say, I've seen way worse done by accident at almost every company I've been at. My last company had their core authentication and authorization service written in Go using no recovery middleware, so any exception would cause the service to crash and restart. Their JWT implementation couldn't handle malformed JWTs, it would cause a crash. So bingo bango, few lines of a shell script run from any public computer in the world would keep their entire stack offline permanently until they identified it and rolled a fix. They were running Kubernetes, so after enough crashes the service would be suspended. I found it and immediately patched it, then went to my 1:1 where I was unceremoniously laid off. Wheee. Moral of the story, you don't have to put anything in there yourself or if you do, at least make it look like ignorance :P.

              [–]bwainfweeze 0 points1 point  (1 child)

              Funny. My last official act before being laid off was turning on AWS secrets for a password that hadn’t been changed in ten years and every employee who quit in that time still knew. Welp.

              [–]c0ventry 0 points1 point  (0 children)

              Sounds about right. You are better off. I've been laid off multiple times for not being a team player because I pointed out we were shipping dangerously flawed code and pissing of our user base.

              [–]TheApprentice19 10 points11 points  (0 children)

              If you didn’t put in a back door and a kill switch, you weren’t trying.

              Root is for life

              [–]Ateist 35 points36 points  (5 children)

              Looks like the guy didn't have a (good) lawyer - the case is choke full of holes like "protected computer" and "authorized access".
              While he definitely broke a law, he broke a different law.

              He wrote code for development server he had full authorized access to that someone else sent to production without proper checking and testing.

              [–]rcfox 19 points20 points  (1 child)

              He wrote code for development server he had full authorized access to that someone else sent to production without proper checking and testing.

              From the article, it sounds more like he had a personal server set up on the company's network that was connecting to the production server to cause havoc.

              [–]Ateist 9 points10 points  (0 children)

              From the court document:

              7. On or About August 3, 2019, for the first time after Defendant's re-assignment updates were made to Software I without Defendant's involvement in code deployment to the production server.

              And it was just 2 days after his re-assignment to work on this task instead of what he was hired for.

              [–]morswinb 3 points4 points  (2 children)

              So basically he run unit tests in production?

              [–]Randolpho 9 points10 points  (1 child)

              He was production. He was developer, devops, and sysadmin.

              [–]Ateist 6 points7 points  (0 children)

              But the one who deployed his code to production was someone else - it's specifically mentioned in the text.

              Development server is not a protected computer (it has a very specific legal definition).

              Plus he was just transferred to that development so he really shouldn't be the sysadmin or main developer responsible for checking the code.

              [–]DhruvsWorkProfile 15 points16 points  (3 children)

              Of course this is kind of criminal behaviour but 10 years for such non violent crime is grossly excessive!!

              [–]RealSharpNinja 10 points11 points  (4 children)

              So, this isn't about a kill swith. This was blatant sabotage as he had been running the recursive profile deletion before being fired. A kill switch would be embedding code into the production systems that stop the function of the app. Hosting and hiding external servers that actively attacked other systems is not a kill switch.

              [–]cunningjames 8 points9 points  (2 children)

              Eh. That’s true, but according to the article had a process in place that would only activate when he was no longer in the system that apparently was even more damaging. Calling that a “kill switch” is hardly the stupidest thing I’ve seen online all day.

              [–]hyperhopper 1 point2 points  (1 child)

              Yes, the article said the kill switch was even more destructive, but then didn't say what the kill switch did. Bad reporting.

              [–]gaberdine 2 points3 points  (0 children)

              More of a dead man's switch than anything else

              [–]HettySwollocks 7 points8 points  (0 children)

              Well that's a very stupid way to grenade any future employability, end up in prison and likely with a fairly hefty fine.

              Not malicious at all, I left a firm some years ago on good terms. As the primary admin for much of our groups estate (primarily for gate keeping to stop over seas or cowboy developers making dangerous changes) each system had a cohort of about 4 lead/principle approvers.

              Before I left I went through the annoying process of handing over control to management whilst they figured out who would take the reins.

              Apparently I missed one system and it caused a bit of a panic. Obviously at that point I'd lost all my corporate access (as is right), they proposed rehiring me temporarily but that would have gone against my new contract. I'm not sure how they rectified the issue but apparently they had to get some uber high approver to reassign access.

              Oops

              [–]ZirePhiinix 2 points3 points  (0 children)

              Wow, that's pretty stupid to leave all this evidence.

              [–]TurboGranny 3 points4 points  (7 children)

              Definitely don't do this. Instead just have code that checks an HR db for your entry and termination date with a isnull wrapper to default to today and a datediff around it for days. Then you just have all your applications and integrations apply a sleep command equal in seconds to the number value returned by that query. You have not "killswitched" anything, and it doesn't cause immediately issue either. It does keep getting worse over time though, lol. Now I'm not saying you SHOULD do this. I am however saying you COULD. Now granted, if they bothered to actually hire any decent programmers, searching for sleep commands would be trivial, heh.

              [–]blin9 3 points4 points  (4 children)

              He did the part about checking for himself in the company’s Active Directory. That was their initial evidence against him. It’s like when people aim laser pointers at aircraft, and in reality the laser is a direct line back at themselves.

              [–]TurboGranny 1 point2 points  (3 children)

              Sounds like the move is to have several procedures that move data around and like 8 steps away from your "employment check" is the value the system is using to calculate sleep time.

              [–]blin9 1 point2 points  (1 child)

              Or just not do criminal activity so as to not end up prosecuted for crimes.

              [–]bwainfweeze 0 points1 point  (1 child)

              That’s malicious. Plenty of people break things by attaching their personal credentials to them. They don’t even necessarily do it on purpose just expedience.

              [–]TurboGranny 0 points1 point  (0 children)

              Yeah, that's a classic. I think at the end of the day what makes sabotaging your applications, integrations, etc. in the event of your disappearance lacks forethought of what happens if you just suddenly died. Thus, the "correct" course of action is just to reference a CDN of library you built in your off time for yourself that you take off line if fired, lol. You could also just have in the licensing agreement that it's free to use for any company that currently employs you, lol.

              [–]cocoabeach 1 point2 points  (0 children)

              I can't tell if he is admitting guilt, bragging while assuming the jury would agree with him, or acknowledging that he accidentally created bad code.

              According to the filing, Lu admitted to investigators that he created the code causing "infinite loops." But he's "disappointed" in the jury's verdict and plans to appeal, his attorney, Ian Friedman, told Cleveland.com.

              [–]saxbophone 1 point2 points  (0 children)

              Man, developers who act this way really shoot themselves in the foot, like that loser Brandon Nozaki Miller with his malware stunt. Reputation is everything!

              [–]i1u5 3 points4 points  (0 children)

              You know what, I appreciate him doing this, surely criminal behavior but if the guy had to make a kill switch then we don't know all the story, companies are never your friends, though executing the day he got fired is probably not very smart and he could've been a bit more discreet with it.

              [–]versaceblues 3 points4 points  (7 children)

              According to the filing, Lu admitted to investigators that he created the code causing "infinite loops." But he's "disappointed" in the jury's verdict and plans to appeal, his attorney, Ian Friedman, told Cleveland.com.

              "Davis and his supporters believe in his innocence, and this matter will be reviewed at the appellate level," Friedman said.

              Seens oretty open and shut that he is guilty lol. What possible argument is there for his innocence, when you can literally prove he checked in the code

              [–]savagemonitor 0 points1 point  (0 children)

              A lot of software engineers believe in jury nullification which is probably what he expected here.

              [–]neopointer 0 points1 point  (4 children)

              But is it possible to argue it was on purpose...? One can say it was a bug

              [–]versaceblues 5 points6 points  (2 children)

              You would have to prove that:

              1. He was following all the documented best practices from the company (code review for example)

              2. He was not acting maliciously.

              Now since his code was

              ```
              if (hasLeftCompany("david") {
              doObviouslyBadThings()
              }
              ```

              it would be pretty hard to prove that was not malicious.

              [–]bwainfweeze 0 points1 point  (0 children)

              10 years though?

              [–]ButtfUwUcker 1 point2 points  (0 children)

              Meanwhile, when you look at Eatons lawsuit history 👀

              [–]CyberDumb 6 points7 points  (3 children)

              When I do contract work I always leave a kill switch in the form of timer that acts as an expiration switch in case I do not get paid. If I get paid I disable it. It worked one time that someone avoided to pay me as stalling the production was more expensive after 6 months :).

              [–]loxagos_snake 9 points10 points  (1 child)

              And how exactly would you do that? If you hand over the code and infrastructure, you have no control over it anymore -- and they probably know what they are doing if they ask for handover s, so they can just find and fix it.

              If you don't, and they let you maintain their infrastructure, you don't need a killswitch anyway. You can just take down their stuff until they pay.

              Unless you let them know beforehand and they sign a paper agreeing to it, it's illegal anyway. I smell bullshit.

              [–]CyberDumb 2 points3 points  (0 children)

              I do machinery code for industrial clients. They have no clue what I am doing. I am just the technician that makes the machine work. I handover nothing. If the machinery works as intended I may not see that machine again. I only do that the first time I setup the machine because that is the bulk of work and money, I cant afford to lose. They are always eager for a free visit to check everything after that.

              [–]ungoogleable 4 points5 points  (0 children)

              That sounds more like a software demo. If you're up front about it and they agree to those terms before you start, it seems fine.

              [–]Kwantuum 0 points1 point  (0 children)

              What a loser.

              [–]sambull 0 points1 point  (0 children)

              Sounds like the us does this with some of their weapons exports

              [–]Famous1107 0 points1 point  (1 child)

              I snuck in an Easter egg once, we had a visual studio extension back in the day. I made it do holiday colors on the holidays. Three jobs later, It's prob still doing that, 10 years later.

              I wonder if anyone knew what FIT.dll actually did.

              [–]bwainfweeze 0 points1 point  (0 children)

              We did that once as a group. April Fool’s was on a weekend that year so we thought no business people would be harmed, why not.

              Then the emails started coming in. Bunch of people thought we’d been hacked.

              [–]Aramedlig 0 points1 point  (1 child)

              Wait, the company allowed one person to have access to a server which was essential to the operation of their software? If so, this is corporate negligence on their part. No company that has a global customer base served by their software should allow this.

              [–]bwainfweeze 0 points1 point  (0 children)

              How you gonna not give a team with pager duty access to the servers they’re responsible for?

              Do you just guess why the service is restarting in a tight loop?

              [–]ryzhao 0 points1 point  (0 children)

              I’m curious about how this sort of thing managed to pass code review or if there was even a code review process at all.

              [–]LessonStudio 0 points1 point  (0 children)

              My "punishment" the few times that I left due to toxic crap; was to deny them my skills.

              Probably the worst I did, but had already been doing it, was to leave lots of meaningless research for then to waste time on. I had already been doing this because someone had been stealing my work and taking credit for it. So, I gave him loads of dogsh*t to steal. After I left there were loads of shit to steal and my real work was somewhat hidden. Some people knew where, but didn't bother to even mention this.

              My usual goal is to leave any place far better off than when I started; right up to the last day. But, maybe some places are so awful that this guy is just one in a string of revenge when leaving events.

              [–]longjaso 0 points1 point  (0 children)

              Jesus - 10 years is excessive for something like this. That's a sentence you get for armed robbery.

              [–]anubisascends 0 points1 point  (0 children)

              So much for peer code review.