Dev Gets 4 Years For Creating Kill Switch On Ex-Employer's Systems

Davis Lu, a former Eaton Corporation developer, has been sentenced to four years in prison for sabotaging his ex-employer's Windows network with malware and a custom kill switch that locked out thousands of employees once his account was disabled. The attack caused significant operational disruption and financial losses, with Lu also attempting to cover his tracks by deleting data and researching privilege escalation techniques. BleepingComputer reports: After a corporate restructuring and subsequent demotion in 2018, the DOJ says that Lu retaliated by embedding malicious code throughout the company's Windows production environment. The malicious code included an infinite Java thread loop designed to overwhelm servers and crash production systems. Lu also created a kill switch named "IsDLEnabledinAD" ("Is Davis Lu enabled in Active Directory") that would automatically lock all users out of their accounts if his account was disabled in Active Directory. When his employment was terminated on September 9, 2019, and his account disabled, the kill switch activated, causing thousands of users to be locked out of their systems.

"The defendant breached his employer's trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company," said Acting Assistant Attorney General Matthew R. Galeotti. When he was instructed to return his laptop, Lu reportedly deleted encrypted data from his device. Investigators later discovered search queries on the device researching how to elevate privileges, hide processes, and quickly delete files. Lu was found guilty earlier this year of intentionally causing damage to protected computers. After his four-year sentence, Lu will also serve three years of supervised release following his prison term.

Careless

[Kisai]

Dude should have made it so if his manager's account was disabled. It would have been obvious if it was checking for his account. Consider it a parting gift. /s

In all seriousness, kill-switches should only be created for military systems to self-destruct the device so that hardware that falls into the hands of the enemy self-destructs rather than remains operable. It makes it impractical of course in case someone loses the device.

Any other situation, kill switches aren't even necessary, if you're someone vital to the operational stability of the company, then the minute you're gone, your presence missing will be noticed as maintenance stops functioning.

Re:Careless

[mysidia]

kill-switches should only be created for military systems to self-destruct the device

They are actually commonly used in the software industry for the purpose of disabling systems ifn case the customer forgot to make a payment to renew their license. For example: Backup software license expired, so the next day all the scheduled backup jobs are failing. Also, the buttons to start a manual backup or initiate a restore are greyed out requiring you to contact the vendor and pay for more time on that program's copyright license.

Re:

[Waccoon]

Or when software is "no longer supported", and the vendor activates the kill switch to "keep people safe."

I'm still pissed about Adobe using a kill switch to ruin Flash, and even more pissed about how the geek community unanimously celebrated it with thunderous fanfare.

Re:

[mysidia]

I'm still pissed about Adobe using a kill switch to ruin Flash,

This caused an extremely serious issue back in the day. It is actually one of the rare cases where I had to backup some DLL files on a live production system and use a Hex editor to tamper with the executable (In order to disable the "Kill" logic in the Flash binary).

Just my opinion.. Adobe should be liable for this. In a fair and just society they would be due to pay for all the time necessary to workaround the issue they deliberately ca

Re:

[PsychoSlashDot]

That's in effect the same thing Davis Lu did though. They stopped paying him and they couldn't use the software anymore. So it's criminal when an individual does it, but completely acceptable when a company or corporation does it. I wonder if what Davis Lu did would be acceptable if he registered a one-employee company and then worked under contract with Eaton Corporation, instead of being an employee. Or if the problem is that he put the killswitch in the Windows production environment instead of just vital software he had a part in developing.

You posted as an AC so I'm not going to explain it to you but rest assured you're wrong.

Re:

[Martin Blank]

A company provides a contract that says that the functionality ends when the customer stops paying for the license. If Davis Lu provided software under contract and had terms allowing the software to stop working, yes, it would be legal.

But he was an employee. An employee is expected to leave things running after leaving the company. Leaving behind a kill switch and not telling anyone about it is a criminal act. He's not the first person to do this (look up Tim Lloyd in 1996 and Nimesh Patel in 2016), and h

Re:

[allo]

They probably paid him for coding (they paid for owning the code afterward) and not just for a time limited license for the code. If the backup software has a perpetual license and disables itself, you may also be liable.

Re:

[bill_mcgonigle]

> if his manager's account was disabled

Oh the chaos that would ensue. :)

Narcissists often get caught because they lack subtlety.

Re:

[taustin]

Any other situation, kill switches aren't even necessary, if you're someone vital to the operational stability of the company, then the minute you're gone, your presence missing will be noticed as maintenance stops functioning.

The world is full of people who see themselves as vital, who actually aren't. This is how they cope with that reality.

Re:

[v1]

People that consider themselves vital, but then have to take steps to create artificial vitality - their own actions are proving them wrong.

If you were truly vital, your simple absence would be a disaster all by itself. If you have to engineer that condition, you're NOT vital. This is just an arrogant, self-important narcissist behaving badly and getting what they've got coming, at the cost of others.

I don't think there are enough stories like this in the news. It's pretty easy to find accounts BY such i

Re:

[taustin]

It's good to see one of them get hat they deserve.

It is, though Terry Childs [wikipedia.org] is the poster child for that flavor of karma.

Re:

[DamnOregonian]

Precisely.

Re:

[whoever57]

The world is full of people who see themselves as vital, who actually aren't. This is how they cope with that reality.

In a large company, if there is someone who is truly vital, then management at that company has failed. It's the bus test: "what would happen if xzy fell under a bus tomorrow?".

While no-one is truly irreplaceable, the issue is cost and time. In a small company, the cost and time to replace some employees may be fatal to the company.

Re:

[logjon]

if you're someone vital to the operational stability of the company, then the minute you're gone, your presence missing will be noticed as maintenance stops functioning

The last two times I job-hopped, the systems I left behind held out for over a year because I design them for stability and to not require babysitting. Unfortunately for those left behind, that was read as "these things just work and we don't have to worry about them." If things fall apart "the minute you're gone," what you make is crap.

Re:

[Kisai]

Consider the case where you, are the sole person with access to a system and because the system has worked fine for 20 years, the company just conveniently stops paying you (See "Office Space") because they literately do not know how you fit into corporate machine.

If you were really vital to the business, less than a week would go by before something goes wrong. If systems work fine for a year before stuff goes wrong, that means you were not monitoring anything critical, so the business literately does not

It's basically impossible not to get caught

[rsilvergun]

Everything these days is so heavily tracked by so many different systems that once you do something like this you're going to get caught. If it wasn't this it would have been something else.

I do think it's pretty fucked up that he's getting more time than people get for rape and manslaughter. Really shows where the priorities are. Never mind the fact that besides punishing for the sake of torture there's no reason to lock the guy up. It's relatively easy to keep him out of a role where he could do this

All that racking was obviously caused by

[Anonymous Coward]

Boomers who want to track us when the retire. Listen up, because I'm only going to say it once: Boomers are the embodiment of everything wrong with this country. They're the ones who've been in charge for 40 years, making a mess of things, and yet they have the nerve to lecture younger generations about personal responsibility. Give me a break! You can't have your cake and eat it too, folks.

You Boomers are always talking about how hard you worked to get where you are today, but let's be real you had a leg

Fool

[dwywit]

"how to elevate privileges, hide processes, and quickly delete files"

He had to look that up? What an incompetent fool. He deserves his sentence.

Makes the rest of us look bad.

Re:

[Viol8]

I'm not sure hiding processes would be considered basic knowledge.

Re:

[unrtst]

I'm not sure hiding processes would be considered basic knowledge.

At a defense contractor writing software? It should be a prereq for getting the job.

Re:

[unrtst]

What? Like, "meets minimum job requirements"?

Re:Fool

[AmiMoJo]

Does sound like amateur hour. After I left the company contracted me to fix a few things because they didn't hire a replacement in time and the guy they got couldn't wrap his head around the systems I had built. Didn't even have to try to sabotage anything, and it was all well documented. All you really need to do is rely on the company to screw it up themselves.

Re:Fool

[gweihir]

It is not surprising he had to look this up. A competent IT security person would not have done it, because it is exceptionally likely that you will get caught. It is always the amateurs with delusions that do this crap.

Re:

[madbrain]

Imagine for a moment if the company wasn't competent enough to trace it back to him.
They would then have no idea that the damage happened as a result of his firing.

Can you really enjoy your revenge, if the victim doesn't even know that it was revenge ?
I think it is a bit of a conundrum. It might be why he didn't even try to hide it.

Re:

[gweihir]

Good point. Angry, aggressive, out for revenge and not thinking about the consequences for himself at all. Essentially an intellectual child.

The demotion is probably a clue...

[Viol8]

...that the company already realised that the guy was a bit of a jackjass. A demotion is a clear message that "we think you're a waste of desk space but you're not so useless that we can fire you but perhaps you should think about looking elsewhere"

Re:The demotion is probably a clue...

[DarkOx]

Generally but not always. I used to work with a guy who got promoted to director. He wasn't terribly good at it. It was a shift lower management that he was very good at. However it also represented the change from tactical problem solving to strategic thinking and to pitching ideas and convincing people you mostly report to ie VPs, and C-Suite, vs organizing people who mostly report to you.

It was perfectly clear to everyone, including him after 8 months or so he was just not working out in the new role. Ended up making him a sort of floating-manager-fixer-internal-consultant guy. They'd have him startup new groups, and be made co-manager of struggling groups. He'd get everyone organized and move on. He was great at it. He might even still be there, kinda lost touch. Certainly a "demotion" in terms of authority, but a bet fit for skills and interests. I don't know what it meant for him dollars and cents wise, but I could tell he was lot happy doing that work and getting accolades for it than he had been coming in for the past three months wondering if the CTO was going say "Bob we gotta let you go."

Re:

[Viol8]

I've always avoided moving into management despite having had the oipportunity a few times. I'm not a people person, I'm not interested in managing them or dealing with their issues, I'm far better doing stuff on a computer. Probably cost me a fair amount of money in the long run but I've no regrets.

Sigh

[ledow]

Tell me why a dev has access to AD enough to lock out other people, including admins.

This is just dumb-ass network management.

Re:

[DarkOx]

I would guess it is pretty common in large enterprises. Most of them will have some custom identity and access management solutions, even if it just glue to make some actions in PeopleSoft/SAP/Pick-your-HR-IS-SaaS-thing trigger events in AD:DS/Entra/Okta/AWS-IAM/etc.

Maybe they don't have an account themselves with access but if they commit some code that gets promoted to production and runs with account privileges that do...well bob's your uncle.

Re:

[unrtst]

Maybe they don't have an account themselves with access but if they commit some code that gets promoted to production and runs with account privileges that do...well bob's your uncle.

Right on. The fact that he had a process, one he named after himself, checking if his own account had been disabled, and that the disabling of his account was the trigger to do stuff, means said bit was using other credentials (not his own).

Re:

[MeNeXT]

Because the PHB thinks it's a good idea.

Security is important until the president is shown a presentation of this cool new gizmo/fad.

Re:

[whoever57]

Tell me why a dev has access to AD enough to lock out other people, including admins.

Perhaps it is because Windows has frequent security issues?

Re:

[nuckfuts]

Tell me why a dev has access to AD enough to lock out other people, including admins.

This is just dumb-ass network management.

Did you read the part about privilege escalation?

IsDLEnabledInAD

[madbrain]

Shows he either really likes his initials, or did not care if he got caught, or both.

In the good old days, he could have used self-modifying code to try to cover his tracks a little bit.

Re:

[drinkypoo]

Shows he either really likes his initials, or did not care if he got caught, or both.

You could call it WatermelonRutabaga and the test would still have to point to the account in order to function, so it would still be self-documenting.

Re:

[s0nicfreak]

So point it at some other accounts too, with a timer so you have time to change them if those people get fired before you do. You could make it look like a maintenance thing that was just poorly coded.

Re:

[madbrain]

Yes, that would point it at more than one person, creating a small amount of doubt about the perpetrators. But he would still have to be on the list, unless he was monitoring an entire group and not individual members. That happens in RIFs sometimes. But he was concerned only with himself. And he was obviously no Stuxnet mastermind.

Re:

[madbrain]

Of course, but someone still has to do the forensic investigation to find it. The only way to stall it might be is irreversible data destruction of all the computers running the code, including perhaps the AD itself, and no backups of any kind. Then, the forensic investigation might hit some snags. But I doubt any company the size of Eaton is stupid enough to operate with no backups.

I think as I wrote in another comment, he probably could not enjoy his revenge, if his victims never even knew it was revenge.

Re: IsDLEnabledInAD

[drinkypoo]

Yes, of course it is amateur hour stuff. Hiding it better doesn't mean it won't be found, though. And if it is, then they only hold you accountable for the forensic costs.

From the description it's not even clear where the trigger was implemented. It could have been a scheduled task for all we know.

Well...

[Schoenlepel]

That guy just made sure he will never be hired again for the same or similar functions again.

Re:

[hcs_$reboot]

It’s a youthful mistake. Won’t the 4 years spent in prison be enough for him to deserve a second chance?

Re:

[taustin]

No. People that full of themselves (and malice) do not learn. I wouldn't hire someone with that poor of judgement, and that delusional a view of their own abilities, to flip burgers.

kill switch

[gary s]

So no one does code reviews anymore? No one noticed new code going into a codebase?

Re:

[St.Creed]

Yeah, lots of red flags all over the place. If one person can create a disaster like this, what else is this company doing horribly wrong? I wouldn't trust them with my information, that's for sure.

Re:

[sloth jr]

Why would you follow code review policy when you're writing and installing malware? Are you expecting a Change Management meeting? Guy wrote a program and installed it, not like it was part of production code base.

Now, why he had access to AD, that's a different and very interesting question that does raise the same sort of question you're alluding to.

Re: kill switch

[Warren416]

Would he commit to a repo? Why? Such a system would be deployed without due process

for running the Killswitch

[sziring]

He did not actually get four years for creating the software. He got four years for running it.
Kill switches don't kill computers, it is the people that run the commands who...
Thoughts and prayers for the data..

Still waiting for the other side of this equation

[Turkinolith]

People go to jail for harming a company. Still waiting for a company to go to jail for harming a person. Oh wait, that never happens.

Oh wait, that's

[Petr Blazek]

total nonsense.

Re:

[nedlohs]

Companies can't go to jail, so that's obvious.

Re:

[Turkinolith]

And I'd say that would be a great example of why companies should not be considered to have the same rights as people.

Wait...

[bferrell]

According to TFA he was a Chinese national, living legally in the US.
Does that mean ICE is in his future?

Re:

[nedlohs]

He will 100% be deported when he completes his prison sentence, and could be deported before completing it (low chance of illegal re-entry from China after all) under the current administration.

The four years in prison might "save" him, it's not an aggravated felony and it's not moral turpitude, so it won't be automatic. Maybe there will be a pendulum swing away from enforcing the letter of the law and deporting easy targets at every opportunity (nothing is easier than someone already incarcerated - even th

Okay, now let's start putting management in prison

[jbirdjavi]

For wage theft, environmental abuses, and all the other crappy things they do.

Yet When Corporations Do It

[CoolDiscoRex]

The government does nothing. Companies are constantly making computers owned by other people do things that are against the interests of the owner, including disabling it altogether. Especially handheld computers a/k/a phones. After all, you willfully gave them the right to do so when you used your computer, and the TOS clearly said on page 38 that by using your purchased property, you agree to give up control over it. They can shut it down if they do not like the way you use it, or if they do not like

Re:

[Compaq Disk Rereader]

Earlier he was saying how he hates safety regulations and healthcare.
Such strong opinions from a retired keyboard jockey.

Re:

[Compaq Disk Rereader]

-1 Offtopic

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LostMyBeaver]

What exactly? Is the issue that he committed a crime, search for how to do it outside of porn mode, wrote it in java, didn't add time bombs, put his name on it, didn't obfuscate, or something else I missed?

Re:

[gtall]

"punishing shitheads is frowned upon by the Slashdot population" Selective memory. It's easy, only remember what supports your view. Even little kids do it.

Re:

[drinkypoo]

Yeah, Clinton is quite the monster.

You think that's some kind of burn, but fuck Clinton.

You also think that's insightful, but Cheeto Benito was Epstein's best buddy and wingman. Clinton was an Epstein customer, Trump was an Epstein partner.

Re:

[EvilSS]

...fuck Clinton.

I'd rather not, thanks. Plus I'm way too old for him.

Re:Four years?

[drinkypoo]

I'd rather not, thanks. Plus I'm way too old for him.

I don't recall Clinton even being accused of fucking any kids. The tangerine terror, on the other hand...

Re:

[ArchieBunker]

Guess you won't mind posting links for these claims?

Re:

[haruchai]

"Though he visited epstein island a number of times. And don't forget Biden"
you appear to have missed - or forgotten - this previous statement:

"You think that's some kind of burn, but fuck Clinton"
Biden? Did he also visit Epstein Island?
Why isn't Bondi having Sleepy Joe arrested?

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Four years?

[drinkypoo]

Clinton is in the flight logs, so it's plausible. That's not the same thing though.

Biden is AFAIK only accused of some creepy hair sniffing, which is weird and icky but doesn't rise to rapey.

Re:

[drinkypoo]

Why isn't Bondi having Sleepy Joe arrested?

Give her time to get the Epstein files rewritten.

Re:

[AmiMoJo]

Don't you remember that the Clintons were part of a global elite paedophile ring, based out of a pizza restaurant basement?

The fact that some guy went there, armed, and found nothing, hasn't disproven it for some dedicated QAnon followers. I'm sure it's just coincidence that Clinton's rival's name is definitely in the Epstein Files.

Re:

[haruchai]

if you feel that it's true or if you really want it to be true, you don't need evidence, it would seem

Re:

[drinkypoo]

I do. This is why I need to get my shit together and get at least Solr set up if not some kind of "AI" search tool to figure out if I've got the citation for some Republican congressman or mayor or some shit (sorry, memory is hazy) actually being involved in a slightly-pizza-parlor-related child sex prosecution stored someplace. It must be more important than I thought at the time, which I know is a disgusting sentence but TBF society accepts a whole bunch of child molestation will happen when we know we ca

Re:

[DarkOx]

You have zero evidence for any of that and the assertion is a retarded as you are.

Trump obviously does not believe there are any unexplainable connections between him and Epstein, or that he ever did anything with Epstein that would ultimately be judged unacceptable by the public.

He cautioned a lot of names would turn up, but also ran on releasing those files. Trump also being Trump expected to win! He knew he'd be in a position to release the files and given his other follow thru probably expected to do.

Re:

[whoever57]

He cautioned a lot of names would turn up, but also ran on releasing those files

And the MAGA fools believed him. The believed someone with a history of lying.

Did I miss Trump releasing his tax returns, as he promised in 2016?

Re:

[wyHunter]

You're the ones who believed Biden was mentally competent, so I'm detecting some glass houses here whilst you're throwing stones.

Re:

[ArchieBunker]

"Look, having nuclear — my uncle was a great professor and scientist and engineer, Dr. John Trump at MIT; good genes, very good genes, OK, very smart, the Wharton School of Finance, very good, very smart — you know, if you're a conservative Republican, if I were a liberal, if, like, OK, if I ran as a liberal Democrat, they would say I'm one of the smartest people anywhere in the world — it's true! — but when you're a conservative Republican they try — oh, do they do a number

Re:

[Ksevio]

Even a senile Biden would be a better President than Trump so that's kind of a moot point. Trump lovers got duped again by Trump and keep asking for more. Unfortunately they're too far deep into supporting him at this point that for a lot of them it's their entire personality and even though there's plenty of evidence they would never believe it.

As they say, you can't reason someone out of a position they didn't reason themselves into

Re:

[haruchai]

Plenty of us wanted Biden to honor his pledge to be a 1-term / transitional president.
But even if Sleepy Joe was entirely mentally absent his admin ran very well, especially compared to the clusterfucks of both Trump's 1st term and what happened so far in this one.
Some of us also remember when Obama was supposed to have the military rounding up people & surging into cities. That would NEVER happen under with the GOP in charge, right? RIGHT??

Re: Four years?

[gnasher719]

Biden went quiet when his brain didnâ(TM)t work. Trumpâ(TM)s mouth just gets going without any brain involvement needed.

Re:

[timeOday]

I think the most likely case is there is no conclusive evidence on anybody who hasn't already been prosecuted, but a lot of (powerful) people are named as associates, having visited, and that it is certain that much of the public will equate being named in the records at all as being a child rapist, so the names of everybody who e.g. flew on his plane are kept under wraps.

As for Trump I see long lists of incriminating and creepy things that he has done given as "proof." But what I don't see is actual und

Re:

[Ksevio]

Just look up the case of Katie Johnson who was 13 when she alleges Trump raped her. If you're not seeing the cases it's not because they don't exist, it's because a. They're afraid - these are rich and powerful people. b. You're not paying attention

Re:

[timeOday]

Yes I have read about that and take it seriously. But when you say cases, plural, are there any more that you are referring to?

Re:

[Ksevio]

I would guess a lot of the cases (not just for Trump, but other powerful men as well) fall under reason "a" where they're afraid to come forward.

Just think if you're a woman that was raped in the past, what's the advantage of coming forward with the allegation? It's a humiliating experience, brings out crazies with death threats and such, and unlikely to do anything. Trump is obviously immune to prosecution because the supreme court ruled him king, but even other powerful people might just get pardoned if

Re:

[timeOday]

So the explanation is that among the 255 women who DID come forward against Epstien, some were also raped by others including Trump, but choose to NOT tell that part of their story. (Not even, say, to 60 Minutes with their face in shadow and their voice obscured).

I'm not saying that's impossible. I'm not saying that "just" one (Katie J) isn't enough to worry about even if true. I'm just thinking, what exactly is it that people online are thinking, because they usually just throw out a phrase like "seri

Re:

[Ksevio]

Having an allegation like that combined with Trump being friends with a big time sex trafficker/pedophile Epstein is where it's coming from

Re:

[InfiniteBlaze]

You're working REALLY hard to justify covering up for pedophiles. If the system is propped up by protecting evil people then the system is doomed to fail - and should. If your standard for intelligence is "two brain cells", I understand the conclusions you draw. Normal people don't become close, intimate friends who show up at all of each other's parties without knowing what those friends do - and the comments Trump makes are so blatantly obviously his ego bursting to tell his secrets that a high schooler

Re:

[WaffleMonster]

You have zero evidence for any of that and the assertion is a retarded as you are. ...
The real issue with releasing the files is obvious to anyone with two functioning brain cells. After the election Trump found out someone close to him or some critical House, Senate, Court members are really implicated and it really could be anyone including family members. ...
Trump is innocent and he knows he innocent and everyone else will too if the stuff actually comes out.

The thing I can't stand the most is hypocrisy.

Re:

[ArchieBunker]

Is this some kind of "gotcha liberals!" quip? I mean if Clinton was part of the pedo party then yes please lock him up too. But since the guy who was buddies with Epstein https://x.com/dpakman/status/1... [x.com] refuses to release the files and ordered his name be scrubbed from the evidence https://www.newsweek.com/donal... [newsweek.com] then things are looking a bit suspicious.

Re:

[ArchieBunker]

Remind me again who runs the DOJ?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Yeah, that would have accomplished something. Or not. Well, it might have satisfied your sadism.

I am always surprised how many unrefined primitives are around even today.