Siemens Contractor Pleads Guilty To Planting Logic Bomb In Company Spreadsheets (zdnet.com) 165
Former Siemens contractor David Tinley faces up to 10 years in prison, a fine of $250,000, or both, for planting logic bombs inside spreadsheets he created for the company. The logic bomb would crash spreadsheets after a certain date, resulting in Siemens hiring the contractor to fix the latest bugs. ZDNet reports: According to court documents, Tinley provided software services for Siemens' Monroeville, PA offices for nearly ten years. Among the work he was asked to perform was the creation of spreadsheets that the company was using to manage equipment orders. The spreadshees included custom scripts that would update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management.
But while Tinley's files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called "logic bombs" that would trigger after a certain date, and crash the files. Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee. The scheme lasted for two years, until May 2016, when Tinley's trickery was unraveled by Siemens employees. According to a report from Law360, the scheme fell apart when Tinley was out of town, and had to hand over an administrative password for the spreadsheets to Siemens' IT staff, so they could fix the buggy scripts and fill in an urgent order. Siemens IT employees found the logic bomb, and it all went downhill from there. Tinley was charged this May, and pled guilty last week, on July 19. The contractor's sentencing hearing is scheduled for November 8.
But while Tinley's files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called "logic bombs" that would trigger after a certain date, and crash the files. Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee. The scheme lasted for two years, until May 2016, when Tinley's trickery was unraveled by Siemens employees. According to a report from Law360, the scheme fell apart when Tinley was out of town, and had to hand over an administrative password for the spreadsheets to Siemens' IT staff, so they could fix the buggy scripts and fill in an urgent order. Siemens IT employees found the logic bomb, and it all went downhill from there. Tinley was charged this May, and pled guilty last week, on July 19. The contractor's sentencing hearing is scheduled for November 8.
Wow, that's really stupid (Score:5, Interesting)
Re:Wow, that's really stupid (Score:5, Insightful)
It was also very stupid of Siemens to allow a contractor to have sole possession of the administrator passwords. Even it he was honest, he could get hit by a bus.
Re: (Score:2)
Siemens management wouldn't have blinked an eye at such a request from a contractor.
Surely the fact that they do it would be a huge red flag to them.
Keep my IT out of it (Score:2)
Siemens management was smart enough to know that if their IT staff had the password they would probably mess with the code and break it.
OTOH, it is trivial to break the VBA password if needed (Google it).
I obsfucate all my VBA code. Did he?
Re: (Score:2)
It was also very stupid of Siemens to allow a contractor to have sole possession of the administrator passwords. Even it he was honest, he could get hit by a bus.
Exactly. That was even more alarming than the activity it was hiding. AES-128 encryption is now present, unlike older versions of Office that could be cracked rather easily.
Re: (Score:2)
Re: Wow, that's really stupid (Score:1)
Re: Wow, that's really stupid (Score:3, Informative)
Hereâ(TM)s the stupid part: this guy knew when the logic bomb was going to go off. All he had to do to keep this gravy train running was be around then to set the next trap, and he couldnâ(TM)t even do that.
Re: (Score:2)
So many clients, so many time bombs, it's hard to keep track of all them.
Re: (Score:2)
Re: (Score:2)
The real problem was a lack of obfuscation combined with a fastidiousness to well-comment the code.
' Time expires. This line makes the sheet unusable so they must hire me to "fix" it.
Re: (Score:2)
It did occur to him, which is precisely why he used passwords to lock down the VB script in the first place.
I'm not sure of the current state of Office files, but prior to Office 365 you could use a reg edit to change a value in any Office file which would result in corrupting the password state. Re-saving the file after loading then proceeded to remove the master password. I've done this a few times to get access to VB scripts from which I had been locked out.
Spreadsheets to manage customer orders? (Score:5, Insightful)
They got what they deserved. If Tinley was smarter, he could have just made the spreadsheets so complicated they wouldn't need logic bombs.
OTOH, ever had an SAP outage? If you managed to actually spend enough to make it work in the first place...
Re: (Score:1)
Anyone stupid enough to use SAP deserves it.
Re: (Score:2)
Anybody who uses spreadsheets to manage data deserves this stupidity.
Re:Spreadsheets to manage customer orders? (Score:5, Funny)
Spreadsheets are the enterprise database of choice!
Re: (Score:2, Interesting)
Re: (Score:3)
When it's just data in your spreadsheets, it's trivial to get them into a database. But if you've got a lot of complex formulas, it's going to be annoying to translate that to application logic, or Crystal reports or whatever.
Re: Spreadsheets to manage customer orders? (Score:5, Interesting)
Having reviewed and audited such processes across many companies... Rest assured that the vast majority of businesses around the world have a lot of business processes in Excel. Examples include bank loans, home mortgages, inventory management, sales, scheduling, logistics, contacts, etc.
Most of the time data is not stored here, but in reliable backends. But is most cases, the data is extracted, calculations done, presentations created, and most importantly decisions are made in Excels. And then that garbage is pumped back to the core systems that do their best to guard against corrupt data.
Pre-xlsx and IE7, it was far worse because you had so much VB code doing all kinds of weird insecure stuff. But no one wanted to take on the risk of breaking things to fix this junk. Just built layers of auditing & correcting processes on top when an auditor like me randomly by chance found a rounding issue.
It's just the way the world is.
Re:Now that's what I call job security. (Score:4, Interesting)
What did they arrest him on, fraud?
Yes. Specifically Title 18 USC Section,1030, a violation of the Computer Fraud and Abuse Act [wikipedia.org].
This a very serious federal offense because he used a COMPUTER. Paper-based fraud is a far less serious crime handled by the local police.
But don't worry, 98% of federal indictments end in a plea bargain, and since he is pleading guilty, there is almost certainly a deal on the table. He will pay a big fine, but will serve little or no prison time. Way less than 10 years.
Re: (Score:3)
But what was done here was very clearly done on malice and not by stupidity.
(Well it was stupid, but the cause of the issue was malice)
Re: (Score:2)
The charge was that he "did intentionally cause damage without authorization to a computer" (and the relevant part of Title 18 he was charged with has it as "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer") - the summary and the Law360 article don't say he did that, only that he caused his product (a spreadsheet) to cease functioning.
While that may well be fraudulent, I
Re: (Score:2)
Re: (Score:3)
Everyone here is calling it a logic bomb and yet when corps do similar things, it is called DRM. What is the difference?
Re: (Score:2)
Re: (Score:2)
Everyone here is calling it a logic bomb and yet when corps do similar things, it is called DRM. What is the difference?
The contract.
I have no tolerance for DRM "protecting" things which should not be protected, like government PDFs with copy-and-paste protection turned on. But for entertainment media, if you agree to have it expire, that's on you.
Re: (Score:2)
Disgusting: adding "computer" to a crime shouldn't (Score:1, Interesting)
I find it disgusting that someone utilizing a computer in the act of committing fraud (?not even sure if this would be fraud? but clearly that is what the argument is) should see a harsher penalty them someone committing fraud without a computer. This sort of abuse of people simply because they happened to do it on a computer by the system is far worse than whatever abuse this guy committed.
Re: (Score:2)
Re: (Score:2)
Fascism is so endemic in Italy that you actually want the government to enforce laws against drug distribution and use. Good little brown shirt. Now I see why Italy was part of the axis.
Re: (Score:2)
Re: (Score:2)
I want the police to enforce laws against hard drug distribution. I don't care at all whether you enjoy a spliff in a private place. I want the police to arrest people who break into our condominium's basement, hide their drugs, leave used needles on the floor, smear the walls with blood.
All of that shit is caused by treating drug addiction as a crime instead of as an illness, and/or by treating the homeless as a plague instead of humans who need help. Or, of course, overprescription of legal medications. It's not caused by drug use. Again, you've chosen the fascist's solution, and it is a final one.
Civil vs Criminal (Score:3, Interesting)
Re:Civil vs Criminal (Score:4, Informative)
If your a plumber either does something negligently or intentionally wrong the police aren't likely to arrest them, why should it be different when a computer is involved?
Arrest is irrelevant. Willfully malignant acts like these are fraud.
Re: (Score:2)
Re: (Score:2)
How much damage can a plumber do to your multi billion dollar business?
You can figure out the rest from here following the logic breadcrumb I left you. If not then please do not breed.
Depends, does he have to do it via plumbing?
Re:Civil vs Criminal (Score:5, Insightful)
If your plumber intentionally floods your house every few months then yes, the police will arrest and prosecute him.
Proving that he's doing so could be tricky and after his work fails the first time you'll probably just employ a different plumber, which is actually the reason you see so few plumbers get arrested.
Re: (Score:2)
If a plumber engages in massive, deliberate fraud, the police sure as hell will arrest him.
Re: (Score:2)
The police can and WILL arrest a plumber if you can prove that they sabotaged something they worked on.
They generally do not because you rarely go to the bother of obtaining proof, you simply change plumbers.
If your home town police don't do this when provided proof, they are either corrupt or inept.
Re: (Score:2)
If your a plumber either does something negligently or intentionally wrong the police aren't likely to arrest them
Negligence? No.
Intentional sabotage? Definitely the police would arrest people over that.
Planned obsolescence (Score:1, Insightful)
Sounds a lot like what Apple and some printer manufacturers do: planned obsolescence.
Planned Hatorade (Score:5, Insightful)
Apple, who supports their mobile and desktop systems for a long period of time, several times as much compared to your typical Android? If they wanted obsoleteness, they never would have implemented a software work around for aging batteries, and told people to buy new devices instead.
Re: (Score:2)
Any good slashdotter should know what voltage sag is, and how you correct and deal with it.
They didn't detect it and then turn down the speed, though. They just did it. They didn't do any kind of testing to determine whether it was necessary on users' devices, and they didn't let users decide whether it should be done. And as the GP says, they make the phones a PITA to repair; many users would simply opt to replace the battery, if only it were cheaper.
IMO Apple users deserve what they get for buying an iDevice, but Apple is still douchey. That they are surrounded all about by other douchebags doe
Re: (Score:2)
Of course they did. That's why old phones speed up when the battery is replaced.
Aside from all the testing for temperatures and battery draw, sure.
That was Apple's actual fuck-up: not telling people about the work-around and making it an optional setting. But the simple fact is that the fix extended th
"pled guilty" (Score:1)
Oh how I do love the smell of coerced false confession in the morning!
Siemens should be fined as well.. (Score:1)
for using a fucking spreadsheet as a complex database.
Better logic (Score:4, Interesting)
I don't necessarily expect any better out of a VBA developer, but I have to say one should be able to easily make a better logic bomb in VBA, say by limiting the length of some vital array by "mistake", or by exploiting one of the many Excel data compatibility bugs.
Re: (Score:3)
Exploiting... Reminds me of a guy who used to be my business partner would add custom user fields for people who wanted special-purpose data for each record as userfield1, userfield2, etc etc. Instead of normalizing the data into a key/value store in another table or just use a delimited list of notes or whatever more flexible way of doing it.
He knew he could generalize it, but he chose not to and instead do thousands of dollars of 'upgrade fees' to add userfield2 to the system.
Well look at his website.... (Score:4, Interesting)
Re: (Score:2)
He has quite a large house---with Gothic pointed arch windows! I'm sure he wasn't inexpensive.
Re: (Score:3)
I love that his landing page has a testimonial quote by Siemens
Re: (Score:2)
ActiveX? Visual Interdev?! Wow, that takes me back...
Re: (Score:2)
Pays for a domain.
Hosts email on Hotmail.
Yep the website said everything you need to know about this "consultant".
He just implemented poorly (Score:5, Interesting)
Compare this guy's "business model" to Microsoft and Adobe. Once they got buried balls deep in your business with Office and Photoshop, they stopped selling them and started charging you rental. If their corporate liplock on your bank account fails, for whatever reason, you are going to be in the same boat as Siemens.
At least Tinley's files worked for a few years, and he's had the common decency to plead guilty.
Re: (Score:3)
Let's not forget Oracle and the Java updates that pop up with notice to cough up the $$$ if you're using them in a business. Nevermind that was distributed as some kind of "free software"
Re: (Score:1)
Microsoft and Adobe are up front and honest about what you are purchasing. Want to get Office 2019? You'll have a copy for life (well, unless they go bankrupt and the license servers go down, but that's a whole separate argument). Want to get Office 365? You'll get the subscription. And what you're paying for is made clear from the start. Now if they said O365 was a one-time payment, but you had to pay for upgrades, and each version was time limited (and they never told you this and disguised the time limit
Re: (Score:1)
The big thing preventing people moving their spreadsheets to other platforms is scripting. All the formula stuff is easy to automatically import, but no other spreadsheet software supports VB script and there is no way to automatically, reliably translate it to something else.
We need an open standard for spreadsheet scripting, and it needs to be something other than VBS or JavaScript.
Re: (Score:2)
I've never used vbscript in a spreadsheet because I am not that sick in the head, but it seems like you could import the data, then port your scripts to Crystal reports (which uses vbscript.) I have done some moderately complicated things in Crystal.
Re: (Score:2)
Maybe it could be compiled to asm.js or some similar BS, because at least JS is an open standard.
Re: (Score:1)
Quite frankly any execs at a company the size of Siemens that approved of critical business functions being handled this way should be fired for malice. If they claim they did not know critical business functions were being handled this way they should still be fired for neglect for not knowing how critical business functions operated that they were in charge of.
Laws are like spider webs (Score:1)
"Written laws are like spiders' webs; they will catch, it is true, the weak and poor, but would be torn in pieces by the rich and powerful. Laws are spider-webs, which catch the little flies, but cannot hold the big ones." -- Anacharsis (per a brief Web search)
Re: (Score:1)
You see, it's the briefcase. He probably didn't have a briefcase.
Along with that PR people, Other people good at BS. Probably didn't charge enough as well.
A lot of these companies employ short skirts for sales. They do well.
Re: (Score:3)
Smart evil requires more subtlety (Score:2)
That's not how you create job security. You put in buzzwords like microservices, no-sql, neural nets, block-chain, IOT, cloud services, etc. They'll have to hire you back to figure it all out, and you have the alibi of "keeping up with trends" and "modernizing the organization to be proactively cyber-ready". I've rarely seen that punished. Pointy-haired bosses just say, "okay, whatever, just fix it please."
Planned obsolescence. (Score:2)
Risk assessement (Score:1)
Was there any risk assessment in the decision making of putting a contractor in front of such data ? (on a fucking spreadsheet)
He was a contractor for 10 years, did it occur to them to, maybe, offer him his position as an employee ? they clearly needed him for 10 years
What amazes me... (Score:1)
However, virtually every piece of code I've looked at has all kinds of effective logic bombs involving dates and times. That's what I'm working on now, fixing code with issues around dates and times.
Last year I helped fix a horrendous mess with gigabytes of spreadsheets, multiple doc
Is That Really A Violation of This Law? (Score:2)
Supposing the contractor's logic bombs merely caused his own contributions to cease working (rather than breaking existing programs or locking hardware) it's not at all clear to me he could have been convicted as a matter of law.
Remember the rule of lenity requires ambiguities in the law to be interpreted in the way that is most favorable to defendants and it's unclear if providing code which only works for a limited period of time constitutes intentional damage to the government computer (see statute here:
Re: (Score:2)
Putting the logic bombs in was outside the scope of the customer request, and it was willful. That combination makes it an open and shut case.
A load of Siemens (Score:1)
all over your spread sheets eh
Is this really a logic bomb, though? (Score:2)
It sounds like he just tossed in some code that caused the spreadsheet itself to fail.
Writing a piece of software with a shelf life or that will stop working after a certain date and
making that have an explicit check is not the same idea as a logic bomb.
It may be that data re-organization needs to be done manually by a certain date (such as table partitioning),
and a program stopping itself to ensure proper maintenance is done, or for license enforcement.
A logic bomb is launching a malicious payload at a ce
Re: (Score:2)
Re: (Score:2)
Yes, they said the script itself crashed. There is nothing stated that the script ran any kind of malicious payload calculated to cause
or actions to happen to a computer system, such as deleting or damaging other files, or interfering with other software: only the
developer's own script stopped running - the concept of "Logic Bomb" - is software that conducts sabotage to a computer system and spreads damage; the word "Bomb" is because there is a blast radius that encompasses an entire system - as
Hardly the first time (Score:2)
Vacation (Score:1)
the scheme fell apart when Tinley was out of town
If you've ever wondered why your company has a mandatory vacation policy, that's why. If you've ever wished your company had such a policy, there's a good argument for you to use. 'Never takes a vacation' is one of the warning signs of embezzlement.
Gross failure (Score:1)
A mere day's revenue would be a significant down payment on SAP or Oracle.
aka (Score:1)