Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime Businesses Software The Courts Technology

Siemens Contractor Pleads Guilty To Planting Logic Bomb In Company Spreadsheets (zdnet.com) 165

Former Siemens contractor David Tinley faces up to 10 years in prison, a fine of $250,000, or both, for planting logic bombs inside spreadsheets he created for the company. The logic bomb would crash spreadsheets after a certain date, resulting in Siemens hiring the contractor to fix the latest bugs. ZDNet reports: According to court documents, Tinley provided software services for Siemens' Monroeville, PA offices for nearly ten years. Among the work he was asked to perform was the creation of spreadsheets that the company was using to manage equipment orders. The spreadshees included custom scripts that would update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management.

But while Tinley's files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called "logic bombs" that would trigger after a certain date, and crash the files. Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee. The scheme lasted for two years, until May 2016, when Tinley's trickery was unraveled by Siemens employees. According to a report from Law360, the scheme fell apart when Tinley was out of town, and had to hand over an administrative password for the spreadsheets to Siemens' IT staff, so they could fix the buggy scripts and fill in an urgent order. Siemens IT employees found the logic bomb, and it all went downhill from there. Tinley was charged this May, and pled guilty last week, on July 19. The contractor's sentencing hearing is scheduled for November 8.

This discussion has been archived. No new comments can be posted.

Siemens Contractor Pleads Guilty To Planting Logic Bomb In Company Spreadsheets

Comments Filter:
  • by rsilvergun ( 571051 ) on Monday July 22, 2019 @07:55PM (#58969700)
    how on earth did it not occur to you somebody would turn on the Developer toolbar and read your scripts? I get that it can be tricky to debug code, but VBA is stupidly simple.
    • by ShanghaiBill ( 739463 ) on Monday July 22, 2019 @08:00PM (#58969730)

      It was also very stupid of Siemens to allow a contractor to have sole possession of the administrator passwords. Even it he was honest, he could get hit by a bus.

      • It was also very stupid of Siemens to allow a contractor to have sole possession of the administrator passwords. Even it he was honest, he could get hit by a bus.

        Exactly. That was even more alarming than the activity it was hiding. AES-128 encryption is now present, unlike older versions of Office that could be cracked rather easily.

    • by Anonymous Coward

      Hereâ(TM)s the stupid part: this guy knew when the logic bomb was going to go off. All he had to do to keep this gravy train running was be around then to set the next trap, and he couldnâ(TM)t even do that.

    • The real problem was a lack of obfuscation combined with a fastidiousness to well-comment the code.

      ' Time expires. This line makes the sheet unusable so they must hire me to "fix" it.

    • It did occur to him, which is precisely why he used passwords to lock down the VB script in the first place.

      I'm not sure of the current state of Office files, but prior to Office 365 you could use a reg edit to change a value in any Office file which would result in corrupting the password state. Re-saving the file after loading then proceeded to remove the master password. I've done this a few times to get access to VB scripts from which I had been locked out.

  • by bobstreo ( 1320787 ) on Monday July 22, 2019 @07:56PM (#58969704)

    They got what they deserved. If Tinley was smarter, he could have just made the spreadsheets so complicated they wouldn't need logic bombs.

    OTOH, ever had an SAP outage? If you managed to actually spend enough to make it work in the first place...

    • by Anonymous Coward

      Anyone stupid enough to use SAP deserves it.

    • by mspohr ( 589790 )

      Anybody who uses spreadsheets to manage data deserves this stupidity.

      • by pacman on prozac ( 448607 ) on Tuesday July 23, 2019 @01:48AM (#58970660)

        Spreadsheets are the enterprise database of choice!

      • Re: (Score:2, Interesting)

        Comment removed based on user account deletion
        • When it's just data in your spreadsheets, it's trivial to get them into a database. But if you've got a lot of complex formulas, it's going to be annoying to translate that to application logic, or Crystal reports or whatever.

      • by orlanz ( 882574 ) on Tuesday July 23, 2019 @06:33AM (#58971212)

        Having reviewed and audited such processes across many companies... Rest assured that the vast majority of businesses around the world have a lot of business processes in Excel. Examples include bank loans, home mortgages, inventory management, sales, scheduling, logistics, contacts, etc.

        Most of the time data is not stored here, but in reliable backends. But is most cases, the data is extracted, calculations done, presentations created, and most importantly decisions are made in Excels. And then that garbage is pumped back to the core systems that do their best to guard against corrupt data.

        Pre-xlsx and IE7, it was far worse because you had so much VB code doing all kinds of weird insecure stuff. But no one wanted to take on the risk of breaking things to fix this junk. Just built layers of auditing & correcting processes on top when an auditor like me randomly by chance found a rounding issue.

        It's just the way the world is.

  • by Anonymous Coward

    I find it disgusting that someone utilizing a computer in the act of committing fraud (?not even sure if this would be fraud? but clearly that is what the argument is) should see a harsher penalty them someone committing fraud without a computer. This sort of abuse of people simply because they happened to do it on a computer by the system is far worse than whatever abuse this guy committed.

    • Comment removed based on user account deletion
      • Fascism is so endemic in Italy that you actually want the government to enforce laws against drug distribution and use. Good little brown shirt. Now I see why Italy was part of the axis.

        • Comment removed based on user account deletion
          • I want the police to enforce laws against hard drug distribution. I don't care at all whether you enjoy a spliff in a private place. I want the police to arrest people who break into our condominium's basement, hide their drugs, leave used needles on the floor, smear the walls with blood.

            All of that shit is caused by treating drug addiction as a crime instead of as an illness, and/or by treating the homeless as a plague instead of humans who need help. Or, of course, overprescription of legal medications. It's not caused by drug use. Again, you've chosen the fascist's solution, and it is a final one.

  • Civil vs Criminal (Score:3, Interesting)

    by Luthair ( 847766 ) on Monday July 22, 2019 @08:21PM (#58969850)
    While morally wrong, why is this a criminal prosecution? If your a plumber either does something negligently or intentionally wrong the police aren't likely to arrest them, why should it be different when a computer is involved?
    • Re:Civil vs Criminal (Score:4, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday July 22, 2019 @08:24PM (#58969862) Homepage Journal

      If your a plumber either does something negligently or intentionally wrong the police aren't likely to arrest them, why should it be different when a computer is involved?

      Arrest is irrelevant. Willfully malignant acts like these are fraud.

    • by Cederic ( 9623 ) on Tuesday July 23, 2019 @03:55AM (#58970884) Journal

      If your plumber intentionally floods your house every few months then yes, the police will arrest and prosecute him.

      Proving that he's doing so could be tricky and after his work fails the first time you'll probably just employ a different plumber, which is actually the reason you see so few plumbers get arrested.

    • If your a plumber either does something negligently or intentionally wrong the police aren't likely to arrest them,

      If a plumber engages in massive, deliberate fraud, the police sure as hell will arrest him.

    • The police can and WILL arrest a plumber if you can prove that they sabotaged something they worked on.

      They generally do not because you rarely go to the bother of obtaining proof, you simply change plumbers.

      If your home town police don't do this when provided proof, they are either corrupt or inept.

    • If your a plumber either does something negligently or intentionally wrong the police aren't likely to arrest them

      Negligence? No.
      Intentional sabotage? Definitely the police would arrest people over that.

  • by Anonymous Coward

    Sounds a lot like what Apple and some printer manufacturers do: planned obsolescence.

    • Planned Hatorade (Score:5, Insightful)

      by Uberbah ( 647458 ) on Tuesday July 23, 2019 @02:19AM (#58970706)

      Sounds a lot like what Apple

      Apple, who supports their mobile and desktop systems for a long period of time, several times as much compared to your typical Android? If they wanted obsoleteness, they never would have implemented a software work around for aging batteries, and told people to buy new devices instead.

  • Oh how I do love the smell of coerced false confession in the morning!

  • by Anonymous Coward

    for using a fucking spreadsheet as a complex database.

  • Better logic (Score:4, Interesting)

    by GlobalEcho ( 26240 ) on Monday July 22, 2019 @09:02PM (#58970034)

    I don't necessarily expect any better out of a VBA developer, but I have to say one should be able to easily make a better logic bomb in VBA, say by limiting the length of some vital array by "mistake", or by exploiting one of the many Excel data compatibility bugs.

    • by kobaz ( 107760 )

      Exploiting... Reminds me of a guy who used to be my business partner would add custom user fields for people who wanted special-purpose data for each record as userfield1, userfield2, etc etc. Instead of normalizing the data into a key/value store in another table or just use a delimited list of notes or whatever more flexible way of doing it.

      He knew he could generalize it, but he chose not to and instead do thousands of dollars of 'upgrade fees' to add userfield2 to the system.

  • by ELCouz ( 1338259 ) on Monday July 22, 2019 @09:07PM (#58970048)
    It tells you everything... http://tinleyconsulting.com/ [tinleyconsulting.com]
  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Monday July 22, 2019 @09:07PM (#58970050)

    Compare this guy's "business model" to Microsoft and Adobe. Once they got buried balls deep in your business with Office and Photoshop, they stopped selling them and started charging you rental. If their corporate liplock on your bank account fails, for whatever reason, you are going to be in the same boat as Siemens.

    At least Tinley's files worked for a few years, and he's had the common decency to plead guilty.

    • Let's not forget Oracle and the Java updates that pop up with notice to cough up the $$$ if you're using them in a business. Nevermind that was distributed as some kind of "free software"

    • Microsoft and Adobe are up front and honest about what you are purchasing. Want to get Office 2019? You'll have a copy for life (well, unless they go bankrupt and the license servers go down, but that's a whole separate argument). Want to get Office 365? You'll get the subscription. And what you're paying for is made clear from the start. Now if they said O365 was a one-time payment, but you had to pay for upgrades, and each version was time limited (and they never told you this and disguised the time limit

    • by AmiMoJo ( 196126 )

      The big thing preventing people moving their spreadsheets to other platforms is scripting. All the formula stuff is easy to automatically import, but no other spreadsheet software supports VB script and there is no way to automatically, reliably translate it to something else.

      We need an open standard for spreadsheet scripting, and it needs to be something other than VBS or JavaScript.

      • I've never used vbscript in a spreadsheet because I am not that sick in the head, but it seems like you could import the data, then port your scripts to Crystal reports (which uses vbscript.) I have done some moderately complicated things in Crystal.

        • by AmiMoJo ( 196126 )

          Maybe it could be compiled to asm.js or some similar BS, because at least JS is an open standard.

    • by Anonymous Coward

      "Written laws are like spiders' webs; they will catch, it is true, the weak and poor, but would be torn in pieces by the rich and powerful. Laws are spider-webs, which catch the little flies, but cannot hold the big ones." -- Anacharsis (per a brief Web search)

    • by ebvwfbw ( 864834 )

      You see, it's the briefcase. He probably didn't have a briefcase.

      Along with that PR people, Other people good at BS. Probably didn't charge enough as well.

      A lot of these companies employ short skirts for sales. They do well.

  • That's not how you create job security. You put in buzzwords like microservices, no-sql, neural nets, block-chain, IOT, cloud services, etc. They'll have to hire you back to figure it all out, and you have the alibi of "keeping up with trends" and "modernizing the organization to be proactively cyber-ready". I've rarely seen that punished. Pointy-haired bosses just say, "okay, whatever, just fix it please."

  • So Siemens, how does planned obsolescence feels like? Won't shade a tear.
  • I am still amazed seeing big corporations (Siemens, GE, etc...) doing information management work through contractors.
    Was there any risk assessment in the decision making of putting a contractor in front of such data ? (on a fucking spreadsheet)

    He was a contractor for 10 years, did it occur to them to, maybe, offer him his position as an employee ? they clearly needed him for 10 years
  • When working with anything involving date and time, logic bombs that aren't deliberate are a guarantee. Personally my code is not so bad as I check, check and check again when it comes to anything involving dates and time.

    However, virtually every piece of code I've looked at has all kinds of effective logic bombs involving dates and times. That's what I'm working on now, fixing code with issues around dates and times.

    Last year I helped fix a horrendous mess with gigabytes of spreadsheets, multiple doc
  • Supposing the contractor's logic bombs merely caused his own contributions to cease working (rather than breaking existing programs or locking hardware) it's not at all clear to me he could have been convicted as a matter of law.

    Remember the rule of lenity requires ambiguities in the law to be interpreted in the way that is most favorable to defendants and it's unclear if providing code which only works for a limited period of time constitutes intentional damage to the government computer (see statute here:

    • Putting the logic bombs in was outside the scope of the customer request, and it was willful. That combination makes it an open and shut case.

  • by Anonymous Coward

    all over your spread sheets eh

  • It sounds like he just tossed in some code that caused the spreadsheet itself to fail.

    Writing a piece of software with a shelf life or that will stop working after a certain date and
    making that have an explicit check is not the same idea as a logic bomb.

    It may be that data re-organization needs to be done manually by a certain date (such as table partitioning),
    and a program stopping itself to ensure proper maintenance is done, or for license enforcement.

    A logic bomb is launching a malicious payload at a ce

    • It's not clear what you mean. The scripts crashed due solely to the date-checking logic, according to TFA. Isn't that what you define as a logic bomb?
      • by mysidia ( 191772 )

        Yes, they said the script itself crashed. There is nothing stated that the script ran any kind of malicious payload calculated to cause
        or actions to happen to a computer system, such as deleting or damaging other files, or interfering with other software: only the
        developer's own script stopped running - the concept of "Logic Bomb" - is software that conducts sabotage to a computer system and spreads damage; the word "Bomb" is because there is a blast radius that encompasses an entire system - as

  • Years ago, a logic bomb was undercovered in control software where I work. The developer configured a software timer to trip a malfunction, which required the developer to "repair" it during off hours. He was exploiting overtime and fattening his wallet with the logic bomb, at the expense of production capacity and potential missed shipments. Someone noticed the pattern of failures and started an investigation. Needless to say, he was terminated.
  • the scheme fell apart when Tinley was out of town

    If you've ever wondered why your company has a mandatory vacation policy, that's why. If you've ever wished your company had such a policy, there's a good argument for you to use. 'Never takes a vacation' is one of the warning signs of embezzlement.

  • Why in the world is an €83 BILLION company using an Excel spreadsheet to automate inventory and order management????

    A mere day's revenue would be a significant down payment on SAP or Oracle.
  • Ransomware

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...