Cloud Engineer Gets 2 Years For Wiping Ex-Employer's Code Repos (bleepingcomputer.com) 121
Bill Toulas reports via BleepingComputer: Miklos Daniel Brody, a cloud engineer, was sentenced to two years in prison and a restitution of $529,000 for wiping the code repositories of his former employer in retaliation for being fired by the company. According to the U.S. Department of Justice (DoJ) announcement, Brody was fired on March 11, 2020, from First Republic Bank (FRB) in San Francisco, where he worked as a cloud engineer. The court documents state that Brody's employment was terminated after he violated company policies by connecting a USB drive containing pornography to company computers.
Following his dismissal, Brody allegedly refused to return his work laptop and instead used his still-valid account to access the bank's computer network and cause damages estimated to be above $220,000. "Among other things, Brody deleted the bank's code repositories, ran a malicious script to delete logs, left taunts within the bank's code for former colleagues, and impersonated other bank employees by opening sessions in their names," describes the U.S. DOJ announcement. "He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000."
After the incident, Brody falsely reported to the San Francisco Police Department that the FRB-issued laptop had been stolen from his car. He continued to uphold this story when interviewed by United States Secret Service agents following his arrest in March 2021. Eventually, in April 2023, Brody pleaded guilty to lying about the laptop and to two charges concerning violation of the Computer Fraud and Abuse Act. In addition to the two-year prison term and the payment of the restitution, Brody will serve three years of supervised release.
Following his dismissal, Brody allegedly refused to return his work laptop and instead used his still-valid account to access the bank's computer network and cause damages estimated to be above $220,000. "Among other things, Brody deleted the bank's code repositories, ran a malicious script to delete logs, left taunts within the bank's code for former colleagues, and impersonated other bank employees by opening sessions in their names," describes the U.S. DOJ announcement. "He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000."
After the incident, Brody falsely reported to the San Francisco Police Department that the FRB-issued laptop had been stolen from his car. He continued to uphold this story when interviewed by United States Secret Service agents following his arrest in March 2021. Eventually, in April 2023, Brody pleaded guilty to lying about the laptop and to two charges concerning violation of the Computer Fraud and Abuse Act. In addition to the two-year prison term and the payment of the restitution, Brody will serve three years of supervised release.
so, is no one smart enough to realize (Score:5, Insightful)
Re: (Score:2, Interesting)
If you need to do this then you hire the wrong people. Fire your managers and HR department too.
Re:so, is no one smart enough to realize (Score:5, Insightful)
Sounds a lot like blaming everyone except the criminal? Yes, there were faults. The faults do not excuse the crime. Failing to lock the door to your house is not a legal defense for a burglar.
Re:so, is no one smart enough to realize (Score:5, Insightful)
that if you're going to fire someone in IT, then you must disable their access FIRST?
Sure, but that doesn't change the culpability of the perp.
It's not okay to rob someone's house just because they fail to lock the door.
Re: (Score:2)
This is true of course, but people get emotional, a bit like road rage, but behind a screen. You can do a lot of damage at a keyboard.
Re: (Score:2)
Sure, but that doesn't change the culpability of the perp.
Sure, but it doesn't change the fact that companies should be following standard IT practices to prevent this from happening in the first place.
Re: (Score:2)
that if you're going to fire someone in IT, then you must disable their access FIRST?
Sure, but that doesn't change the culpability of the perp.
It's not okay to rob someone's house just because they fail to lock the door.
It also doesn't cover you for any dead man switches they left under shared accounts or secret accounts set up that no-one else knows about. If I were ever to try to sabotage my employer I sure as hell wouldn't do it using any of my normal user accounts.
The best defence is to hire good people and don't treat them like shit... But lets not get crazy here.
Re: (Score:1)
Re: (Score:2)
Not only relevant for IT. You _always_ only inform people with any critical access that they are fired after their accounts are locked. My take is that this bank's IT is a complete mess (observe the lack of backups as additional evidence) and they may not have known he had that access and they may not have working SSO and account management. It is even possible he managed to log in using a non-personal technical account (which should not work at all from outside the server network) or the like.
You do not gi
Re: (Score:2)
You would be surprised how companies are, when it comes to IT people. When I got notified I was laid off at a previous job, I wound up having to be the one who had to lay myself off, moving access to my replacement, then finally checking in a script into the company's Git server (GPG signed with the private key on a Yubikey) for the guy to run to finish removing access. Had I wanted to be a douchebag, I could have easily done so... but it would have resulted in bridges burned and other things (people with
Re:so, is no one smart enough to realize (Score:4, Interesting)
Modern IT teams are interchangeable cogs in a machine. The person who knew the procedures for layoffs was probably layed off and replaced with a clone who checked the right box next to "Microsoft Certificate in Stuff We Need Done". I wish I was making this stuff up, but the more experience you get in IT support the more people think you're being overpaid compared to the cheap guy overseas.
Re: (Score:2)
That bad?
Re: (Score:2)
It is if it results ithe cheap workers don't know what to do when someone is fired, and it results in a loss of their code repo.
Re: (Score:2)
I would assert and confirm that you are right. If the dude overseas is cheaper and supposedly has an alphabet soup of letters, they will offshore/outsource. Problem is that when the outsourcing company starts only using the second-string or third-string people, as opposed to the first-string techs which were used to get the contract.
This is typical of the IT field. If stuff is working, management things they can replace you with an offshore dude for cents on the dollar. If stuff is not working, manageme
Re: (Score:2)
If they replaced you immediately after "laying you off", then they broke labour law. Layoffs are for role eliminations: i.e. no immediate replacement.
Re: (Score:2)
That depends on the area you live in. Where I live, it is an "at will" state. One can be laid off/separated/fired/termed for anything at anytime. At most labor laws might ensure you don't get stiffed on a paycheck if you are a direct employee.
Re: (Score:2)
And keep your backups current.
Re: (Score:2)
The backups should be current and object-locked, with info on them going into a SIEM. That way, someone covering their tracks would have to wage a wide swath of destruction. Ideally, the SIEM should be owned by a different group altogether for separation of duties.
Re: (Score:2)
Yeah, backups need to be done right, and not just to protect against crazy soon-to-be-ex employees.
Re: (Score:2)
Re: (Score:2)
It is simple at small startups: the person doing the firing coordinates with the person who is going to pull access at the beginning of the termination meeting the access is pulled and the person pulling access texts the person doing the firing when access is revoked and it is okay to end the meeting.
Now if you don't have a list of your critical accounts.... well you have bigger problems, but you can probably at least figure out that the password manager, AWS, and Google access needs pulled.
Re: (Score:2)
Victim blame much?
Re: (Score:2)
Fault won't bring the data back.
Re: (Score:2)
One of the things I like about git is that everyone who checks out the repository has essentially a full backup of the repository (including all revisions, branches, and metadata) on their own computer.
Therefore, in a company with N developers working on the code, even if That Guy does wipe out the github repository server(s) and the backup tapes turn out to be rubbish, there should still be (N-1) fairly up-to-date copies of your codebase still accessible.
Re: (Score:3)
^ This. When I worked as a developer for a major corporation, I was let go due to a "last hired first fired" policy when the department got downsized. Before I even realized I was being let go, my network access suddenly stopped working. I went to my boss's office to ask about it and he said "there's some people from corporate in the conference room that want to see you". They handed me my severance check and I was escorted out of the building by security with a few of my personal belongings and mailed
Re: (Score:2)
If that's the way they want to handle it, then they should stop expecting 2 weeks notice from us. Just walk out when you find a new job. No KT for your existing team, no writing down all the things that are only in your own head, nothing.
Re:so, is no one smart enough to realize (Score:5, Interesting)
This. I had a lady give two weeks' notice and NO ONE TOLD ME!She mentioned it to me in the lunch room on her last day. I checked with HR and they said it was true despite the Firm's mandate that I be notified first. Goddam. She deleted just about everything and back in that day everything was on a rotating backup for 30 days. We had stand-alone Outlook where the .pst file was on her hard drive and it was all gone. Because she was a paralegal, she handled all of her lawyer's emails.
Re: (Score:3)
This. I had a lady give two weeks' notice and NO ONE TOLD ME!She mentioned it to me in the lunch room on her last day. I checked with HR and they said it was true despite the Firm's mandate that I be notified first. Goddam. She deleted just about everything and back in that day everything was on a rotating backup for 30 days. We had stand-alone Outlook where the .pst file was on her hard drive and it was all gone. Because she was a paralegal, she handled all of her lawyer's emails.
Same with me from the other side. I gave plenty of notice I was going to retire at each review, from 5 years down to when I put my notice in with a month to go. It was a real shock to them, but my boss "neglected" to tell the director or security. I kind of wondered why the big guy didn't talk with me about it - we were pretty close. HR certainly knew, but it was not their job - my top supervisor had the duty. On my last day, I was at lunch with a friend co-worker. And my phone lit up from the director's
Re: (Score:2)
I've had it work the other
Re: (Score:2)
We are a small shop but big enough to have an HR department. We, as IT, are *constantly* trying to get the hiring people to inform us at least 3 days in advance of new employee start.
I think it's just that hiring is a delicate process and even the people doing the hiring sometimes don't know until the last minute whether or not the person has accepted the job.
Why were his keys and creds not cut off? (Score:2, Insightful)
This is really more on the bank, then the person who was never restricted. This is a complete and total failure of protocol, and multiple people in the IT sphere, and Developer sphere, should p
Re: (Score:2)
This is really more on the bank, then the person who was never restricted.
No, it's not. If you leave your house unlocked, you might be considered stupid... but it doesn't reduce the culpability of a thief who enters and takes your stuff.
Re: (Score:1)
Re: (Score:2)
No, it's not. If you leave your house unlocked, you might be considered stupid... but it doesn't reduce the culpability of a thief who enters and takes your stuff.
You're right, but if you hired someone who had the job of locking your door when you leave, you'd fire that person for also not locking the door. It's not the banks fault that this person chosen to take these actions. It's the banks fault that this person was able to commit these actions.
Re: (Score:2)
Re:Why were his keys and creds not cut off? (Score:5, Insightful)
This is really more on the bank, then the person who was never restricted.
No, this is on the guy who committed multiple felonies, and tried to lie his way out of it.
The bank did things that were stupid, but he did things that were criminal.
Re: (Score:2)
I worked for a company ~7 years ago, I can still login to their "master" server, they never changed the root login, and I've called the owner, emailed him, and gave him directions on how to do all the work required to lock me out. I've offered to drive to his house and do the work myself, to kill the accounts that should be taken off the server. His response the last time we talked (parap
Re: (Score:2)
As I just stated in another reply, this should trigger a serious investigation and charges against others at the bank.
What laws were broken by the bank? Sounds like they failed to follow policies or procedures.
Re: (Score:2)
What laws were broken by the bank?
Possibly some civil laws, especially ones concerned fiduciary responsibilities towards shareholders.
Other than that, only the one's in Murdoch5's revenge fantasies.
Re: (Score:2)
And they will be very complicated laws based on very complicated definitions that even the people who actually deal with don't entirely understand, much less some random guy on the internet. Good luck.
And illegal isn't necessarily criminal, as has been pointed out.
Re: (Score:2)
Re: (Score:2)
You're missing the point, regardless if it's illegal, people should still be fired.
The point now is that you're lying about what you said:
this should trigger a serious investigation and charges against others at the bank.
You said, specifically, that there should be criminal charges. Now you pretend you didn't.
You've admitted you were full of shit when you said it, but are too cowardly and childish to say so out loud.
You lose, loser.
Re: (Score:2)
Before the person in question can leave the property, their credentials, keys, and any form of access should be fully wiped from all systems. The servers in question should have IP blocks in place to prevent them connecting, and the logs should be swept, repeatedly, for any access that is not IP and user validated!
This is really more on the bank, then the person who was never restricted. This is a complete and total failure of protocol, and multiple people in the IT sphere, and Developer sphere, should probably be fired because of it, including the CTO, CISO, and anyone else in an executive IT / Technology role who should have known better.
Let's focus on where I called out the bank and their standards:
This is really more on the bank, then the person who was never restricted. This is a complete and total failure of protocol, and multiple people in the IT sphere, and Developer sphere, should probably be fired because of it, including the CTO, CISO, and anyone else in an executive IT / Technology role who should have known better
So yes, you missed the point, and it was probably an accident, but there you go, I said multiple people should be fired.
What you're misquoting is a reply I made:
As I just stated in another reply, this should trigger a serious investigation and charges against others at the bank.
Should is an important word, to quote Websters: "used in auxiliary function to express condition"
https://www.merriam-webster.com/dictionary/should
So, as a condition of the people at
Re: (Score:2)
No, you're chopping up what I said trying to misquote me.
Liar.
Words have meanings. You should learn some.
Re: (Score:2)
Have a good day!
Re: (Score:2)
I think you may be missing the point here: The bank had a duty to protect itself and it failed to do so. That must be addressed (by the bank, not us) in order to be secure. And yes, dude needed to be prosecuted because he did something wrong... which should not have been damaging, but it was, because of poor procedures and protocols on the part of the bank. There is plenty of liability to go around and using your logic, the bank escapes it completely.
Re: (Score:2)
I think you may be missing the point here:
Are you a sock puppet for Murdoch5? He (you) specifically said more blame is on the bank, which, so far was we know, did nothing illegal, and certainly nothing criminal, than the criminal who committed multiple felonies. I'm not the only one who took issue with that, and he's (you're) now lying about what was said.
I'm not missing the point, you're trying to change the subject.
Dumbass.
Re: (Score:2)
Are you a sock puppet for Murdoch5?
Absolutely not. Have you noticed any similarities at all other than you seem to disagree with both of us?
He (you) specifically said more blame is on the bank
Kind of, but not really. Your lack of nuance is fucking you over HARD here sir.
The criminal deserves to be prosecuted for the crimes they CLEARLY committed. That prosecution does not absolve the security principals at the bank. They were charged with keeping these kinds of things from happening and due to their incompetence, those bad things happened. Do you think that should not be addressed?
Re: (Score:2)
Are you a sock puppet for Murdoch5?
Absolutely not. Have you noticed any similarities at all other than you seem to disagree with both of us?
You're both trying (and failing) to deny that he claimed the bank officials, as individuals, have committed some criminal act.
He (you) specifically said more blame is on the bank
Kind of, but not really.
Yes, really.
Your lack of nuance is fucking you over HARD here sir.
You need to learn to lie better.
Re: (Score:2)
You're both trying (and failing) to deny that he claimed the bank officials, as individuals, have committed some criminal act.
Huh? WTF are you on about? I never claimed the bank was criminally liable. I said they were liable. That is the lack of nuance I was speaking of. You still have not answered whether or not that liability should be addressed.
Honestly, I do not see this conversation going anywhere. We are not able to communicate for some reason. Have a nice day.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If the CEO of the bank got prison time I might agree with you but since that won't happen then the ex-employee should be punished less.
Re: (Score:2)
Well no...they don't even know what a backup is (Score:2)
Re:Well no...they don't even know what a backup is (Score:5, Insightful)
With proper regulation, not having those backups will get the board in hot water because they failed their oversight duties. They also failed to suspend hos accounts in a timely fashion (read: immediately, and if possible before the person is told that they are terminated). For banking IT such a failure is a big red flag and strongly indicates that they have really, really crappy IT.
Re: (Score:2)
Due to a screwup we had to just go ahead and revert everybody's balance to whatever it was last month. Sorry about any deposits you received in the interim. Nobody's perfect!
Sincerely,
Your Bank.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
They may in fact have backups that run regularly, unless this person also had access to the backups and wiped those. In addition, having backups doesn't go poof and restore everything with the flick of a switch, it still causes damages through downtime, loss productivity and the time it takes to restore and reset configurations to match the restore if needed etc.
Emailed code (Score:2, Insightful)
"He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000."
This was probably innocuous.
Re: (Score:2)
Re: (Score:2)
Was probably just a quick code snippet he wanted to use at home. I've done that a few times, wouldn't constitute code theft normally, but after all the other shit he pulled...
Re: (Score:2)
Crappy leaver processes (Score:2)
And in a bank, no less. No argument about his sentence, but the ones responsible for not suspending his access should probably share his cell.
Re:Crappy leaver processes (Score:4, Funny)
the ones responsible for not suspending his access should probably share his cell.
If we make incompetence a crime, we're gonna need a lot more prisons.
Re: (Score:2)
True.
Re: (Score:2)
If we make incompetence a crime, we're gonna need a lot more prisons.
In certain situations, incompetence *IS* a crime. Any regulated industry is rife with situations where incompetence can lead to jail time.
Re: (Score:2)
The ones responsible may have some liability here for being negligent, but not a criminal liability that would send them to jail.
Re: (Score:2)
Re: (Score:3)
That could very well turn into liability.
Sure. They'll get a "naughty boy" letter from the Fed, some middle management lackey will get shown the door, and the executypes will get a raise for "demonstrating leadership through tough times" or some such bullshit.
Re: (Score:2)
Do you think that should result in jail time?
Re: (Score:2)
but the ones responsible for not suspending his access should probably share his cell.
Not a cell, but they certainly deserve to share the cardboard box they're living in.
Re: (Score:2)
Re: (Score:2)
And in a bank, no less. No argument about his sentence, but the ones responsible for not suspending his access should probably share his cell.
Not in a cell, but the second guy is probably in the unemployment line. First Republic Bank failed and was closed by the FDIC in May of this year.
Re: (Score:2)
Cannot say I am surprised.
I don't usually side with companies on things, but (Score:2)
Re:I don't usually side with companies on things, (Score:4, Insightful)
I hope he gets what's coming to him in the Federal Pound Me In The Ass prison.
Nobody deserves prison rape.
But Federal prisons are mostly financial crooks and other non-violent offenders.
He'll likely go to a minimum security facility.
Club Fed is a much better place to spend a few years than state prison.
Re: (Score:2)
Nobody deserves prison rape.
One could argue that those who advocate for prison rape deserve prison rape.
Re: (Score:2)
Re: (Score:3, Funny)
Jesus! It was a joke.
But not so funny when you're the . . . butt of it, eh?
I'll tell you who else should have been sacked (Score:2)
the IT guy who didn't back up the repos, and didn't disable the dude's access first and foremost, before HR got to him.
Re: (Score:2)
Re: (Score:2)
The other half of "make backups" is can these backups also be restored?
Classy guy (Score:3)
What a scumbag. I wonder if the guy in charge of locking accounts was him lol
Reminds me of a story by Jim Koch, the founder of Sam Adams beer. Very early on, when he was just starting, he said that he had to fire a driver for stealing lots of beer when doing deliveries. Well he made the mistake of not getting the guy's keys first. He came in the next day to find his office door unlocked and a present on his desk.
Re:Classy guy (Score:4, Funny)
He came in the next day to find his office door unlocked and a present on his desk.
Was it a decent beer?
is that what lost data is worth? (Score:2)
this kind of an award could likely bite data providers in the ass. who gets 2 years in the slammer when a customer loses their data? or is data really not worth that much? which?
Re: (Score:2)
Normally I don't side with the corporation (Score:2)
Re: (Score:2)
Dunno if you consider academia to be corporate enough, but I've seen some crazy stuff on staff, faculty, and lab machines ... a USB stick full of "plain ol' porn" is nothing....
Re: (Score:2)
I dunno. Isn't it kind of sketchy that the computer scanned and logged the contents of his drive when he connected it? Is it an invasive violation of his privacy? As far as I see it, if the files aren't being moved onto the computer, the computer shouldn't be poking around. (If it does need to poke around for security reasons, it certainly shouldn't be logging or reporting embarrassing but non-threatening files.) Obviously the company should have made it unnecessary for him to use a personal device though.
T
I'll bet they changed their process after that! (Score:2)
Oh wait, First Republic Bank went out of business this year.
Leaving in good order (Score:3)
I have been let go twice from developer positions, that I haven't resigned from myself.
Both times, it has been a matter of personal pride for me to commit my last code changes that I had been working on, for the sake of my colleagues, and then to say proper goodbyes to the people staying behind.
I think I would be more pissed off if I wasn't allowed to do that, than to be let go.
Re: (Score:2)
Was he working remotely when fired? (Score:2)
Always do an elegant exit! (Score:2)
Been programming for 37 years, doing professional web development for 23. Lots of douchebags, idiots, pointy haired bosses, clueless and obnoxious blowhards. Plenty of exits and layoffs.
But I _always_ see to it that I make a clean and elegant exit. You never know when you bump back into people. And there are always people in the room who don't say much but know exactly what's going on and might get back to you when they've changed teams.
IT personnel must and should have a work ethic. Destroying your clients
...his still-valid account to access... (Score:2)
Can someone find where his employer was fined for not terminating his access?