Dev Gets 4 Years For Creating Kill Switch On Ex-Employer's Systems

Davis Lu, a former Eaton Corporation developer, has been sentenced to four years in prison for sabotaging his ex-employer's Windows network with malware and a custom kill switch that locked out thousands of employees once his account was disabled. The attack caused significant operational disruption and financial losses, with Lu also attempting to cover his tracks by deleting data and researching privilege escalation techniques. BleepingComputer reports: After a corporate restructuring and subsequent demotion in 2018, the DOJ says that Lu retaliated by embedding malicious code throughout the company's Windows production environment. The malicious code included an infinite Java thread loop designed to overwhelm servers and crash production systems. Lu also created a kill switch named "IsDLEnabledinAD" ("Is Davis Lu enabled in Active Directory") that would automatically lock all users out of their accounts if his account was disabled in Active Directory. When his employment was terminated on September 9, 2019, and his account disabled, the kill switch activated, causing thousands of users to be locked out of their systems.

"The defendant breached his employer's trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company," said Acting Assistant Attorney General Matthew R. Galeotti. When he was instructed to return his laptop, Lu reportedly deleted encrypted data from his device. Investigators later discovered search queries on the device researching how to elevate privileges, hide processes, and quickly delete files. Lu was found guilty earlier this year of intentionally causing damage to protected computers. After his four-year sentence, Lu will also serve three years of supervised release following his prison term.

Re:

[Compaq Disk Rereader]

Earlier he was saying how he hates safety regulations and healthcare.
Such strong opinions from a retired keyboard jockey.

Re:

[Compaq Disk Rereader]

-1 Offtopic

Re:

[LostMyBeaver]

What exactly? Is the issue that he committed a crime, search for how to do it outside of porn mode, wrote it in java, didn't add time bombs, put his name on it, didn't obfuscate, or something else I missed?

Re:

[gtall]

"punishing shitheads is frowned upon by the Slashdot population" Selective memory. It's easy, only remember what supports your view. Even little kids do it.

Re:

[RoccamOccam]

No, that's the president.

Yeah, Clinton is quite the monster.

Re:

[drinkypoo]

Yeah, Clinton is quite the monster.

You think that's some kind of burn, but fuck Clinton.

You also think that's insightful, but Cheeto Benito was Epstein's best buddy and wingman. Clinton was an Epstein customer, Trump was an Epstein partner.

Re:

[EvilSS]

...fuck Clinton.

I'd rather not, thanks. Plus I'm way too old for him.

Re:Four years?

[drinkypoo]

I'd rather not, thanks. Plus I'm way too old for him.

I don't recall Clinton even being accused of fucking any kids. The tangerine terror, on the other hand...

Re:

[wyHunter]

Though he visited epstein island a number of times. And don't forget Biden.

Re:

[AmiMoJo]

Don't you remember that the Clintons were part of a global elite paedophile ring, based out of a pizza restaurant basement?

The fact that some guy went there, armed, and found nothing, hasn't disproven it for some dedicated QAnon followers. I'm sure it's just coincidence that Clinton's rival's name is definitely in the Epstein Files.

Re:

[DarkOx]

You have zero evidence for any of that and the assertion is a retarded as you are.

Trump obviously does not believe there are any unexplainable connections between him and Epstein, or that he ever did anything with Epstein that would ultimately be judged unacceptable by the public.

He cautioned a lot of names would turn up, but also ran on releasing those files. Trump also being Trump expected to win! He knew he'd be in a position to release the files and given his other follow thru probably expected to do.

Re:

[whoever57]

He cautioned a lot of names would turn up, but also ran on releasing those files

And the MAGA fools believed him. The believed someone with a history of lying.

Did I miss Trump releasing his tax returns, as he promised in 2016?

Re:

[wyHunter]

You're the ones who believed Biden was mentally competent, so I'm detecting some glass houses here whilst you're throwing stones.

Re:

[timeOday]

I think the most likely case is there is no conclusive evidence on anybody who hasn't already been prosecuted, but a lot of (powerful) people are named as associates, having visited, and that it is certain that much of the public will equate being named in the records at all as being a child rapist, so the names of everybody who e.g. flew on his plane are kept under wraps.

As for Trump I see long lists of incriminating and creepy things that he has done given as "proof." But what I don't see is actual und

Re:

[InfiniteBlaze]

You're working REALLY hard to justify covering up for pedophiles. If the system is propped up by protecting evil people then the system is doomed to fail - and should. If your standard for intelligence is "two brain cells", I understand the conclusions you draw. Normal people don't become close, intimate friends who show up at all of each other's parties without knowing what those friends do - and the comments Trump makes are so blatantly obviously his ego bursting to tell his secrets that a high schooler

Re:

[gweihir]

Yeah, that would have accomplished something. Or not. Well, it might have satisfied your sadism.

I am always surprised how many unrefined primitives are around even today.

Careless

[Kisai]

Dude should have made it so if his manager's account was disabled. It would have been obvious if it was checking for his account. Consider it a parting gift. /s

In all seriousness, kill-switches should only be created for military systems to self-destruct the device so that hardware that falls into the hands of the enemy self-destructs rather than remains operable. It makes it impractical of course in case someone loses the device.

Any other situation, kill switches aren't even necessary, if you're someone vital to the operational stability of the company, then the minute you're gone, your presence missing will be noticed as maintenance stops functioning.

Re:Careless

[mysidia]

kill-switches should only be created for military systems to self-destruct the device

They are actually commonly used in the software industry for the purpose of disabling systems ifn case the customer forgot to make a payment to renew their license. For example: Backup software license expired, so the next day all the scheduled backup jobs are failing. Also, the buttons to start a manual backup or initiate a restore are greyed out requiring you to contact the vendor and pay for more time on that program's copyright license.

Re:

[bill_mcgonigle]

> if his manager's account was disabled

Oh the chaos that would ensue. :)

Narcissists often get caught because they lack subtlety.

Re: Careless

[Plugh]

Maybe that is why your favorite abuser of underage girls and enabler of romance scammers is in jail for his financial crimes.

Re:

[taustin]

Any other situation, kill switches aren't even necessary, if you're someone vital to the operational stability of the company, then the minute you're gone, your presence missing will be noticed as maintenance stops functioning.

The world is full of people who see themselves as vital, who actually aren't. This is how they cope with that reality.

Re:

[v1]

People that consider themselves vital, but then have to take steps to create artificial vitality - their own actions are proving them wrong.

If you were truly vital, your simple absence would be a disaster all by itself. If you have to engineer that condition, you're NOT vital. This is just an arrogant, self-important narcissist behaving badly and getting what they've got coming, at the cost of others.

I don't think there are enough stories like this in the news. It's pretty easy to find accounts BY such i

Re:

[whoever57]

The world is full of people who see themselves as vital, who actually aren't. This is how they cope with that reality.

In a large company, if there is someone who is truly vital, then management at that company has failed. It's the bus test: "what would happen if xzy fell under a bus tomorrow?".

While no-one is truly irreplaceable, the issue is cost and time. In a small company, the cost and time to replace some employees may be fatal to the company.

Fool

[dwywit]

"how to elevate privileges, hide processes, and quickly delete files"

He had to look that up? What an incompetent fool. He deserves his sentence.

Makes the rest of us look bad.

Re:

[Viol8]

I'm not sure hiding processes would be considered basic knowledge.

Re:Fool

[AmiMoJo]

Does sound like amateur hour. After I left the company contracted me to fix a few things because they didn't hire a replacement in time and the guy they got couldn't wrap his head around the systems I had built. Didn't even have to try to sabotage anything, and it was all well documented. All you really need to do is rely on the company to screw it up themselves.

Re:Fool

[gweihir]

It is not surprising he had to look this up. A competent IT security person would not have done it, because it is exceptionally likely that you will get caught. It is always the amateurs with delusions that do this crap.

Re:

[madbrain]

Imagine for a moment if the company wasn't competent enough to trace it back to him.
They would then have no idea that the damage happened as a result of his firing.

Can you really enjoy your revenge, if the victim doesn't even know that it was revenge ?
I think it is a bit of a conundrum. It might be why he didn't even try to hide it.

Re:

[gweihir]

Good point. Angry, aggressive, out for revenge and not thinking about the consequences for himself at all. Essentially an intellectual child.

The demotion is probably a clue...

[Viol8]

...that the company already realised that the guy was a bit of a jackjass. A demotion is a clear message that "we think you're a waste of desk space but you're not so useless that we can fire you but perhaps you should think about looking elsewhere"

Re:

[DarkOx]

Generally but not always. I used to work with a guy who got promoted to director. He wasn't terribly good at it. It was a shift lower management that he was very good at. However it also represented the change from tactical problem solving to strategic thinking and to pitching ideas and convincing people you mostly report to ie VPs, and C-Suite, vs organizing people who mostly report to you.

It was perfectly clear to everyone, including him after 8 months or so he was just not working out in the new role

Re:

[Viol8]

I've always avoided moving into management despite having had the oipportunity a few times. I'm not a people person, I'm not interested in managing them or dealing with their issues, I'm far better doing stuff on a computer. Probably cost me a fair amount of money in the long run but I've no regrets.

Sigh

[ledow]

Tell me why a dev has access to AD enough to lock out other people, including admins.

This is just dumb-ass network management.

Re:

[DarkOx]

I would guess it is pretty common in large enterprises. Most of them will have some custom identity and access management solutions, even if it just glue to make some actions in PeopleSoft/SAP/Pick-your-HR-IS-SaaS-thing trigger events in AD:DS/Entra/Okta/AWS-IAM/etc.

Maybe they don't have an account themselves with access but if they commit some code that gets promoted to production and runs with account privileges that do...well bob's your uncle.

Re:

[MeNeXT]

Because the PHB thinks it's a good idea.

Security is important until the president is shown a presentation of this cool new gizmo/fad.

Re:

[whoever57]

Tell me why a dev has access to AD enough to lock out other people, including admins.

Perhaps it is because Windows has frequent security issues?

IsDLEnabledInAD

[madbrain]

Shows he either really likes his initials, or did not care if he got caught, or both.

In the good old days, he could have used self-modifying code to try to cover his tracks a little bit.

Re:

[drinkypoo]

Shows he either really likes his initials, or did not care if he got caught, or both.

You could call it WatermelonRutabaga and the test would still have to point to the account in order to function, so it would still be self-documenting.

Well...

[Schoenlepel]

That guy just made sure he will never be hired again for the same or similar functions again.

Re:

[hcs_$reboot]

It’s a youthful mistake. Won’t the 4 years spent in prison be enough for him to deserve a second chance?

Re:

[taustin]

No. People that full of themselves (and malice) do not learn. I wouldn't hire someone with that poor of judgement, and that delusional a view of their own abilities, to flip burgers.

kill switch

[gary s]

So no one does code reviews anymore? No one noticed new code going into a codebase?

Re:

[St.Creed]

Yeah, lots of red flags all over the place. If one person can create a disaster like this, what else is this company doing horribly wrong? I wouldn't trust them with my information, that's for sure.

Re:

[sloth jr]

Why would you follow code review policy when you're writing and installing malware? Are you expecting a Change Management meeting? Guy wrote a program and installed it, not like it was part of production code base.

Now, why he had access to AD, that's a different and very interesting question that does raise the same sort of question you're alluding to.

Re: kill switch

[Warren416]

Would he commit to a repo? Why? Such a system would be deployed without due process