Contractor Admits Planting Logic Bombs In His Software To Ensure He'd Get New Work (arstechnica.com) 117
An anonymous reader quotes a report from Ars Technica: Many IT workers worry their positions will become obsolete as changes in hardware, software, and computing tasks outstrip their skills. A former contractor for Siemens concocted a remedy for that -- plant logic bombs in projects he designed that caused them to periodically malfunction. Then wait for a call to come fix things. On Monday, David A. Tinley, a 62-year-old from Harrison City, Pennsylvania, was sentenced to six months in prison and a fine of $7,500 in the scheme. The sentence came five months after he pleaded guilty to a charge of intentional damage to a protected computer. Tinley was a contract employee for Siemens Corporation at its Monroeville, Pennsylvania, location.
According to a charging document filed in U.S. District Court for the Western District of Pennsylvania, the logic bombs Tinley surreptitiously planted into his projects caused them to malfunction after a certain preset amount of time. Because Siemens managers were unaware of the logic bombs and didn't know the cause of the malfunctions, they would call Tinley and ask him to fix the misbehaving projects. The scheme ran from 2014 to 2016. Tinley will be under supervised release for two years following his prison term. He will also pay restitution. The parties in the case stipulated a total loss amount of $42,262.50. Tinley faced as much as 10 years in prison and a $250,000 fine.
According to a charging document filed in U.S. District Court for the Western District of Pennsylvania, the logic bombs Tinley surreptitiously planted into his projects caused them to malfunction after a certain preset amount of time. Because Siemens managers were unaware of the logic bombs and didn't know the cause of the malfunctions, they would call Tinley and ask him to fix the misbehaving projects. The scheme ran from 2014 to 2016. Tinley will be under supervised release for two years following his prison term. He will also pay restitution. The parties in the case stipulated a total loss amount of $42,262.50. Tinley faced as much as 10 years in prison and a $250,000 fine.
"pleaded guilty" (Score:1, Troll)
Oh how I do love the smell of coerced false confession in the morning!
Re: (Score:2, Funny)
All he really had to do was follow the specifications precisely.
After a while, the inadequacy of the specs or the rigidity of the solution requires a revisit.
Microsoft (Score:2)
I'm quite sure Microsoft made BILLIONS doing very nearly the same thing. Their stuff has always just MOSTLY worked... well enough for C-suite types and consultants to both recommend... and the consultants would incidentally get years of works fixing the MOSTLY working Microsoft software.
Re: (Score:2)
Re: (Score:1)
No, nothing that straightforward. MS-Access didn't behave with complete ACID compliance. As your database grew in size and simultaneous users, it would randomly malfunction.The easiest solution was to reimplement with a SQL Server back-end linked to a front-end using ODBC. Been there done that.
As an aside, SQL Server was the only decent MS product in that day, IMHO.
Re: (Score:2)
As an aside, SQL Server was the only decent MS product in that day, IMHO.
Excel was always pretty good.
Re:"pleaded guilty" (Score:4, Informative)
What makes you think it was a Coerced?
Sometimes you may be obviously guilty and making a long drawn out court case for you to be called guilty Then you get the same punishment + have to pay extra legal fees + you may get extra punishment (the judge may push towards the maximum sentence) for wasting the time.
Vs Declaring Guilty go less legal costs and get a lower punishment.
His lawyer after looking at the evidence probably recommended him to plea guilty as he can probably get a better sentence, as there may be no chance he could win.
Also he may know if there is a full investigation on it, they may find more material of misconduct that can make things worse.
Re: "pleaded guilty" (Score:5, Informative)
Does bootleather really taste that good to you?
Under the heinously evil "plea bargain" system that is utterly destroying the legitimacy of our court system, ALL confessions are coerced confessions. That's exactly what "plea bargain" means. And all coerced confessions are ipso facto false confessions.
Stand up, man! For God's sake, stand up for human decency! Stop giving these contemptible villains the aid and comfort of your words. When the very halls of justice are turned to a cackling mockery of all that is just and honest, good men MUST speak out against it.
Re: (Score:2)
Re: "pleaded guilty" (Score:4)
My language was perhaps too florid. Yet the truth remains: the "plea bargain" system is a mockery of justice.
Re: "pleaded guilty" (Score:4, Interesting)
It most certainly is NOT a hysterical load of bullshit. The plea bargain system needs to go away -- it is literally the DA bribing you to plead guilty.
I was in Daytona Beach for spring break, and someone grabbed this drunk chicks ass. I was standing at a table outside a bar (along with three friends), and she was walking down the *middle* of the blocked off road -- a good 15 feet away. Her boyfriend asked her who grabbed her -- she stumbled around, and pointed over at me. He ran over and grabbed me, and it turned out he was an off duty officer -- that was also drunk. He called over an on duty and had me arrested.
So, I make it to court, and plead not guilty and I choose to represent myself since I have 3 witnesses that can vouch that I was standing at the table and never moved -- and I don't have 15 feet arms. The prosecutor offers me 6 months probation, and a $500.00 fine if I plead guilty -- even though one of the witnesses went with me to court, and told her exactly what he was going to testify to. I took the "deal" because I was concerned that since her boyfriend was a cop, he might pull some bullshit made up witnesses out of his ass.
Bottom line, I was NOT GUILTY, but I plead guilty because we have a FUCKED up system.
Re: (Score:2, Troll)
Been there done that, luckily as a minor. I know many others who've done the same.
The poorer the evidence the more enticing they make the deal so you have to weigh it against the time and risks of trying to fight it and the public defender won't do anything willingly except negotiate terms. They'll encourage you to take the deal either because they have paying clients to get back to or because their case load is so high there is no other way to manage it.
Not that anyone should face legal consequences over g
Re: (Score:3)
I'm a doctor in Spain. During my residency I was on call for general medicine and had to see a patient that was out of the speciality I was preparing for.
The guy had been admitted for an infection. He was getting the right antibiotics, his vitals were normal. They called me because he had thrown up (as he had a few times earlier that day). The tests were normal.
Five hours later the guy went very quickly into septic shock and died in a matter of minutes. I never knew about that because another doctor took th
Re: (Score:2)
Re: "pleaded guilty" (Score:1)
You say that. Yet he was _not_ convicted in open court by a jury of his peers. He was coerced to confess. No one actually knows if a jury would have found him guilty - we can only speculate based on one-sided propaganda.
Re: (Score:2)
I read the first line and skipped the rest. What's with the internet exposing all kinds of cranks?
Re: "pleaded guilty" (Score:1)
While I agree you're a crank, I'm nevertheless glad you have the freedom to post your thoughts on the internet.
Re: "pleaded guilty" (Score:1)
Anonymous Coward - himself perhaps a criminal by nature and a gestapo thug by trade - plays Internet Tough Guy, pisses on the Constitution, and mounts anonymous, cowardly defense of guilt by accusation and coerced false confession. Nothing to see here.
Vacation got him (Score:5, Informative)
More detailed article at zdnet [zdnet.com].
The spreadshees included custom scripts that would update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management. But while Tinley's files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called "logic bombs" that would trigger after a certain date, and crash the files. Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee. The scheme lasted for two years, until May 2016, when Tinley's trickery was unraveled by Siemens employees. According to a report from Law360, the scheme fell apart when Tinley was out of town, and had to hand over an administrative password for the spreadsheets to Siemens' IT staff, so they could fix the buggy scripts and fill in an urgent order.
Re: (Score:3)
i'm not sure whom is the criminal here.. the guy who broke the "spreadsheets" or Siemens who insisted on using "spreadsheets"... i mean him breaking them was some of the best free consulting they could have gotten...
In my line of work i run across the use of spreadsheets far more than i ever should - and it never ceases to amaze me how many large corporations have rather high value/critical processes facilitated by nothing but Excel....
Re:Vacation got him (Score:4, Insightful)
I'm not sure this guy needs prison time. What is the benefit to society of the prison term? The community supervision seems to be just as well.
Re:Vacation got him (Score:5, Insightful)
Re: (Score:2)
That has little to do with whether a state action produces a benefit to society.
Re: (Score:2)
Re: (Score:3)
Why do you think that deliberately abusing's one access to set up a system to defraud a business is only worth of community supervision?
Because if it's unlikely he'll commit new crimes under community supervision, then any more-harmful action is strictly unethical.
would you be OK with community supervision?
Well it'll save me from paying taxes to house him at a rate of $70,000/year while gaining no benefit, and it will avoid the ethical cost of taking away more of his liberty and freedom than is strictly necessary to control the threat to society he may represent, if there is no such credible ongoing threat he represents which cannot be controlled without imprisonment. It would al
Comment removed (Score:5, Interesting)
Re: (Score:3)
Well it sounds like they where using it to manage a supply chain operation, so yea its pretty bad. This isn't "snobbery" this is common sense.. Spreadsheets are awesome for doing analysis, or prototyping data shapes.. but when it comes to managing the data for a business process i'd rank it higher risk than a paper system.
So yea,
Re: (Score:3)
It's not that spreadsheets are bad, it's that through that ease of use you mention, they enable people to do bad things with them. I have seen some truly monstrous spreadsheets which should have been applications instead, particularly given the amount of time that had been dumped into them to make them work and keep them functional.
To put it another way, they overly cater to a layman's way of thinking of solutions, instead of a fully fledged language which is more robust but requires one to think in terms
Re: (Score:3)
I'm more annoyed by how much of an amateur this guy is.
Contractors write software exactly to spec for this reason. Oh, you need to it not crash when you type one to many digits, well that's a change so I'll bill you.
There are so many ways they can keep the work coming endlessly just by creating what look like problems created by the company.
Re: (Score:2)
Sorry, right tool for the right job. Excel is great for what it is but it's not sql.
Re:Vacation got him (Score:4, Insightful)
Spreadsheets as rule don't provide for
1) Change Control
2) Role based access control
3) Audit trails
4) Any kind of redundancy / fail-over
They fail for ever leg of the security triad; Confidentiality, availability, integrity. The moment they morph from being a collection of current information or tool used to do some analysis into any sort of system of record or shared application.
Its not snobbery. Sheets are great for proving things out, prototyping of all kinds of things, one-time-analysis efforts etc. They are NOT great critical processes.
Re: (Score:2)
Re: (Score:2)
not exactly - i'd say it's closer to show how fragile the house of cards is in a way which is not hugely detrimental, to give them a chance to realize what they have before having a catastrophic failure.
Re: (Score:2)
Re: (Score:2)
I agree with you, but i find it ironic that as i read this, the quote on the page is
"If it ain't broke, don't fix it." - Bert Lantz
Re: (Score:2)
A lot of the Y2K "fixes" used the years 2014 and 2015 as the cutoff time assuming the company would had been nuts to use the product for that many more years later. But never underestimate Siemens for using old and outdated stuff.
Re: (Score:2)
A lot of the Y2K "fixes" used the years 2014 and 2015 as the cutoff time ...
I never heard about nonsense like this
Re:Vacation got him (Score:4, Insightful)
outside contractor has there own VM to run there a (Score:2)
outside contractor has there own VM to run there app
Re: (Score:1)
outside contractor has there own VM to run there app
Can you put that into English please?
Re: (Score:2)
app document $250 Source code $500K
Re: (Score:2)
and had to hand over an administrative password for the spreadsheets to Siemens' IT staff
Seriously? Here you go, Siemens. This one is on the house.
Re: (Score:2)
How common is this? (Score:2)
I wonder if this isn't quite common, actually.
Not specific logic bombs per se, but more or less intentional half-assed work that the developer would have designed to be only good enough for the present and which would need maintenance later on.
With many software projects being rushed anyway, thus forcing solutions to be half-assed to meet the release deadline, it would become easier to get away with doing it intentionally in those cases when you did have enough time to do it well.
I'm sure various software m
Re: (Score:2)
AI achieved (Score:2)
"Pets of the system. "
When software starts to keep pets I think we can all agree it passes the Turing test
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It depends about the business situation. I, for example, only sometimes write software and when I do it, I do it at full consulting rates. I never did anything shoddy or intentionally bad and my stuff rarely cause problems. But customers expect good work at my rates and not delivering that would be really bad for business. A regular coder gets less than half of my hourly rate and a lot less time to do things. I do fully understand if they half-ass a lot of stuff and sometimes let problems intentionally unfi
Re: (Score:2)
I don't think its done intentionally very often. I think it just happens a lot.
Anytime you have an application that requires a significant amounts institutional, vertical, and domain specific knowledge to build, and time pressure to get it done you'll end up here.
Even things like code reviews etc usually don't prevent it. Because there is nobody with the domain knowledge to do anything but a rather proforma - "well it follows the style guide and I don't see anything stupid here like bubble sort. Beyond tha
Illegal as hell (Score:5, Insightful)
Re:Illegal as hell (Score:5, Insightful)
When a company like SPSS (whose software self-destructs if you change the system clock back by a couple hours) does it, they call it "terms of service".
Welcome to late-stage capitalism.
Re: (Score:1)
Re: (Score:2)
People voted with their wallets and chose lowest price over everything else. When its a race to the bottom everything is garbage. Like the old saying goes: good, fast, cheap. Pick two.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There is a difference in 'how' you do it.
It is something that is more difficult to do in software as it doesn't 'age' per se.
So manufacturers can 'cut' corners knowing it will make the product fail at some point. Yet, they can easily say, we used this plastic gear instead of this metal gear to reduce costs.
There's no doubt manufacturers play games with planned obsolescence. But there is a difference with playing games, and just doing it explicitly outright.
Most software companies don't have products with bu
Amateur... (Score:4, Funny)
Contractor Admits Planting Logic Bombs In His Software To Ensure He'd Get New Work
Meh, that's still work. Nothing has yet beaten out that developer who outsourced his development work to China and then spent his days at work surfing the web. https://it.slashdot.org/story/... [slashdot.org]
Is it really that hard to stay current? (Score:2)
I am midway in my career and had to change default languages learn some new ones. Discover some new methodologies implement them into my own. It is a part of being in IT. One thing I have found the more things change the more they stay the same and computing designs run in a pattern. Client Side Programming vs Server Side Programming. Complex API systems vs simple string manipulation.
About a decade ago I heard some buzz around restful services. So I just did a Google on it, Using the HTTP repsonse codes
Re: (Score:3)
This may even be acceptable when you are doing a hobby project, but it is not at all acceptable when you are making systems that will be used for decades.
Re: (Score:3)
The framework of the month usually just means staying current with the terminology as it is often some kid who just got their CS Degree and reinvented something old that they didn't teach in college, and gave it their own name.
These 20 year old kids do not have 30 years experience in this technology that is 3 months old.
Us old guys may actually have decades experience in this 3 month old technology. It just had a different name back then.
Underhanded C contest (Score:2)
certificate updates can be seen as logic bombs yea (Score:2)
certificate updates can be seen as logic bombs yearly.
Re: (Score:2)
Re: (Score:2)
except the cartel that controls them has shortened the life of them recently, no more 3 year certs. that racket needs to be broken, it's a burden on people and business with not a lot of money. and that stupid Let's Encrypt bullshit isn't a solution, doesn't work with all systems nor is it useful for e-commerce payment system needing stored cert when it craps out every 30 days.
parasites inserting themselves in middlemen when a free alternative could be used instead, like keys in DNS.
Re: (Score:2)
Re: (Score:2)
I'm only saying SSL certificates are a similar racket, too much money charged for something which takes almost no effort, and a smarter solution that provides equivalent level of security without paying anyone could be done.
What an idiot (Score:1)
Play Stupid Games, Win Stupid Prizes (Score:1)
Really, that's all there is to it in this case.
I'm honestly kinda surprised though that Siemens apparently doesn't have a formal review process that is good enough to catch stuff like this, unless Tinley is a past winner of the obfuscated C code contest or something...
Cannot be really competent (Score:2)
Placing bugs that are not identifiable as anything except bugs is not that hard. You want them in corner-cases, in obscure cases and in cases that would obviously not be well-tested and rarely relevant. What this person seems to have done instead was explicit "fail at date" code that is blatantly obvious to any forensic analysis.
No, I do not advise to do this. But I teach how to defend against backdoors in code and that needs examples. The best ones are always ones that plausibly could be bugs. With these,
Re: (Score:2)
You gotta admit that would have been rather unnecessary as we've known about that issue for more than thirty years. I'm not going to search it out, but I'd bet you can find /. and industry articles on that topic from very early on.
Re: (Score:2)
Re: (Score:2)
Indeed. Still, the part of the NSA charged with protecting critical infrastructure and the economy should have given louder and louder warnings about the problem as it became worse due to more and more dependency on working IT.
Scott Adams charged as co-conspirator (Score:4, Funny)
Goose/Gander (Score:4, Interesting)
How is this different from any planned obsolescence? It's OK when Apple does it but not when it's an individual protecting an income stream?
Re: (Score:2)
are you making shit up? we have a 8 year old imac at home that works perfectly.
Re: (Score:3)
OK, so here's a challenge:
Take a 5 year old iPad. Wipe it and put a new Apple ID on it. Now try to install some apps like Facebook, Chrome, etc. App Store will tell you, "No way, Jose. You've got to update your iOS to a version that won't run on it first". However, if you violate the Apple TOS and temporarily log in with an Apple ID that has another device with those apps already installed, App Store will offer to let you do
Re: (Score:2)
Dang. Don't get me wrong, yes it's planned obsolescence but the lifecy
Re: (Score:2)
I have an iPod 3 hand-me-down that works great, but I had to break the TOS to get apps to load because...planned obsolescence.
Sometimes, an old piece of gear is a great way to introduce the platform to someone. Apple tries to make that impossible (without violating terms of service) because they want you to buy a new one.
Re: (Score:2)
I don't think "thy do it", I believe it is just a mistake. /. about and simply send them a letter, they probably even would fix it.
And if you would stop ranting on
Re: (Score:2)
Oh, I've done that. And posted on Apple forums. And explained the issue to the people at the "Genius Bar".
Re: (Score:2)
That's my point. They DID NOT remove the 32 bit binaries from the store. If you have an Apple ID that has previously installed those apps, the App Store will happily offer to let you download and install them again.
Re: Goose/Gander (Score:2)
If you sold a piece of tech as guaranteed not to be obsolete in five years, you'd be sued in two or sooner. Proving planned obsolescence vs. obsolescence is like proving Trump did something wrong. The CEO said no planned obsolescence, see, so it's not obsolete.
PRs can go a long way (Score:2)
So, cybersecurity (Score:2)
So, this is basically the foundation for cybersecurity and the rental business model industry that's grown up around it. "For a nominal monthly service fee, we'll claim to ensure that nobody can scam county records offices and steal your property title." "For a low monthly fee, we'll claim to protect your social security number." "For only $9.95 a month, we'll claim to screen out robodialers."
So ... (Score:2)
Software contractors do the same things as normal contractors?
NOT GONNA HAPPEN (Score:1)
I thought of that back in 1998 (Score:2)
I had a similar career, but ... (Score:3)
... it was a lot easier and it was legal.
Managers made decisions based on articles they'd read in the Wall Street Journal despite my recommendations to let me do my job.
One example: A managing partner said, "Hey ... I read in the WSJ that a sever only cost $599 and ours cost us $22,000. Why aren't you buying a server like that?"
I said, "Boss, let's go on line and order us one."
He went out to his car and got the article and we went online.
So, there it was: Server for $599.
We added that to the cart. I asked him, "What server operating system do you want?"
Blank look. We chose Windows, added to cart.
"What RAID?" Blank look. I talked him into RAID 5, hot swappable. Added to cart.
"We need a backup tape." Added to cart.
Being a busy lawyer, he gave in at that point.
standard business practice (Score:2)
To much (Score:1)
Monroeville (Score:1)
There's a zombie joke in here but I'm too tired to craft it.
Please tell me that someone gets it.
Re: (Score:2)
Without doubt, they'll have to recall him from Heaven to fix it.
Smart move.
Re: (Score:2)
OH I SCREWED THIS JOKE UP
You know how to fix it. Sorry.