back to article Yee-hacked! Fired Texan sysadmin goes rogue, trashes boot business

A former IT administrator working at a cowboy boot manufacturer has pled guilty to hacking the servers and cloud accounts of his employer after they fired him and had him removed from the building. Joe Vito Venzor, 41, had been employed by the Lucchese Boot Company in El Paso, Texas, but he was let go on September 1 last year …

  1. Lou 2

    Quote "The attacker's work was so effective that the application server was totally borked and the company ended up having to buy a new one and reinstall all the software on it"

    Wow! He ruined the hardware on a server by loggin in from outside and deleted files. Yeah right. And that is why this company needs outside help. From a shrink.

    1. Crazy Operations Guy

      Its likely that they would purchase the new server so the old one could be used as evidence, or that someone could be building the new one getting things up and running while another person goes through the old system to pull files off that were deleted or they just didn't have a backup for (Like new order info, transaction logs, etc).

      I would also think that they'd use this excuse to bring in upgraded hardware if they never had a chance to take down the old one since it was used for so much important stuff.

      1. Anonymous Coward
        Anonymous Coward

        They might not be able to install the same version of software now, or chose to install newer software since it was available to avoid the need for a later upgrade. If that new software version requires newer hardware, that would mean a new server is needed.

        1. Version 1.0 Silver badge

          In that situation I'd go with a fresh installation - if you've just been nuked from orbit it's the only way to be sure. New hardware and software installations eliminate the possibility that there's another nasty waiting for you.

          1. bombastic bob Silver badge
            Devil

            new hardware + new software is probably EASIER than cleaning the mess up, too. Overall cost (when you include time and number of people involved) very well could be WAY cheaper than the alternative. No hidden back doors, either.

            1. Danny 14

              So the backups were accessible to such a degree remotely? They had zero offline backups?

              So what would they have done with an encryption virus?

              Rotated Ejected tapes might be a bit 90's tech but a firesafe with a week old set of tapes is better than fuck all.

              1. werdsmith Silver badge

                I guess if the company was using a virtual infrastructure then he would have had to attack the ESX hosts, otherwise they would have just needed to roll in the VEEAM or equivalent backups.

                But it sounds like they weren't ready for DR, whatever the cause of the disaster. That was probably down to him too. I guess there is always that risk of mental health problems with many jobs that involve trust, which is why there has to be more than one keyholder for the red nuke button.

              2. Crazy Operations Guy

                "So the backups were accessible to such a degree remotely? They had zero offline backups?"

                The system processed orders, so even if they had backed up the system 5 minutes before hand, the system still would have information, such as new orders and orders ready to ship, that isn't in the backup.

                Depending on volume, the number of orders lost could easily become more valuable than the cost of a new server. This would especially be true if they are customer-focused; If you were a customer that had paid for merchandise and received a confirmation email detailing the same, would you stand for the company telling you "Sorry, we lost your order"? On the other hand, a customer's order may have completed processing and shipped so a full manual search of which orders are still in the shipping dock, which have had shipping labels applied, which labels are on a truck, etc.

              3. Alan Brown Silver badge

                Backups

                Backups, and more fucking backups.

                And NOT online backups. They're far too susceptable to this kind of attack.

    2. Lord Elpuss Silver badge

      It's possible (though unlikely) that he also flashed a custom firmware rendering any potential repair financially impractical.

      Writing this as a technicality, as I don't believe for a second he actually rendered the hardware useless. It's just a way of getting the 'value' of the crime up to Grand Larceny levels so they could send him down for a 10 stretch. He was an idiot, but overreaching prosecutors are a plague and a menace to society.

      1. a_yank_lurker

        @Lord Elpuss

        Given the nature of the attack, rebuilding the drive would mean reinstalling all the software. Since it would be evidence in a criminal trial, the company needs to buy a new server plus all the work to get it up an running. Depending on how much equipment and time was involved this could add up fast. Whether the prosecutors are overreaching, can not say without more details.

        1. Emmeran

          Re: @Lord Elpuss

          Sadly the prosecutors aren't over-reaching. How many people lost wages because of his shenanigans? He should be charged with theft against each and every of them. I guarantee you most of the line workers are paycheck-to-paycheck folks who cannot afford that 25% hit to their weekly pay.

          The far reaching effect of assault on infrastructure - whether it be physical or technical is usually understated. Nothing brings a company (and it's employees) to their knees faster than broken toilets or broken servers.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Lord Elpuss

            quote: Sadly the prosecutors aren't over-reaching. How many people lost wages because of his shenanigans? /quote

            actually, they are reaching for their paycheck.

            a lot of the "cost" here is for the forensic examinations done (at mandatory price rates where you don't get to choose)... there's very little chance that the company could get to cash in some of those once the various state fees and costs are deduced.

            Just the costs of forensic cloning of a server raid drive array and follow-up examination alone can rise quickly to multiple-digit thousand dollars alone because of this: they need to buy at least the double of same amount of similar-capacity server-grade drives, and a new server that's raid-compatible with the old one. (Double the capacity because they would needed to make 2 sets of forensic drive clones, a read-only clone as primary evidence and a read/write one for functional examinations). Add to this the costs of the various licenses they need to buy again (if it's commercial software) since it's basically a new server build-up and the prosecution costs can rise sharply.

            And after all is finished and the guy is sentenced, all of this brand new equipment will go and rot into some evidence crate somewhere, nailed shut and gathering dust on some shelf.

            All paid through the 'costs' attached to the sentence.

          2. StargateSg7

            Re: @Lord Elpuss

            Since this is TEXAS, the DA (District or State Attorney) will apply a STACKED SERIES of State-level Computer Crime Charges of up to 10 years each. So each attempt at logging-in and messing with the office gear will be considered a SEPARATE 10 year sentence if convicted at trial.

            AND ... Since this is the USA and DA/State Attorneys (aka crown prosecutors) hate going to trial, they will STACK as many charges ontop of each other as they can in order to get the defendant so afraid to goto trial that they will "See the Light" and take a "Plea Deal" for about a 2 year sentence for each stacked charge.

            In the end, the total sentence handed down by the judge will be a little more than 10 years in Medium to Maximum Security State Penn, 5 years of probation, a $250,000 fine and an internet and/or computer usage ban for probably up to 10 years!

            If the defendant elects to actually GO TO TRIAL, each stacked charge may be applied consecutively and that means a final sentencing tally of between 50 to 150 years in a MAXIMUM security state penn! That is basically a death sentence and since he is probably a nerd and of LIKELY a slight stature, he will be the ultimate PREY in a massive den of powerfully-built, ultra-violent predators who will be making him their Prison B&&&H for the rest of his natural life.... up until the day he finally gets shanked cuz he didn't pay his "Daily Prison Dues" in a timely or deferential manner!

            .

            Good luck! He is gonna need it!

            Those DA's are gonna stack sooooo many charges, he really should be thinking of taking the plea deal and see if he can get himself thrown into solitary confinement for his 10 year term so he doesn't end up a$$-RR-aped on a daily basis!

            U.S. State Penns, even the medium security ones, are ABSOLUTELY NO PICNIC ... YOU BETTER be musclebound, mentally tough, plain crazy and with real fighting ability if you wanna keep your rectal virginity intact! The prison gangs GANG UP on the incoming "Fish" (aka Newcomers) and shake them down to see who will be joining-up-the-gang as an inductee, be immediately shanked/killed or be FORCEFULLY made into just another one of their "Prison B&&&hes" !!!

            .

      2. rh587

        Writing this as a technicality, as I don't believe for a second he actually rendered the hardware useless. It's just a way of getting the 'value' of the crime up to Grand Larceny levels so they could send him down for a 10 stretch. He was an idiot, but overreaching prosecutors are a plague and a menace to society.

        Puts you in mind of the Gary McKinnon charges, where the criminal damage to each computer accessed was claimed to be $1500 IIRC - $1500 "just happened" to be the value to move the charge from a misdemeanour to a more serious felony.

        Not that I have any sympathy for this chap - if you're a revenge-minded individual then there are more obvious ways of ex-filtrating data or credentials without leaving a trail in your corporate e-mail, and subtlety was apparently a foreign concept. Less BOFH and more Boss, with the inevitable result that he got cuffed.

        But I would concur that arbitrary damage valuations that just seem to be on the tipping point of a higher charge do make one quirk an eyebrow at the state of "justice".

      3. VanguardG

        I should think there were plenty of felonies here to get things ramped up high enough he would be looking at plenty of jailtime - especially if a prosecutor pushes for time to be served consectively, instead of concurrently, on at least some of the charges. Besides...the prosecutor would want as MANY counts of as MANY charges as possible, not just a few big ones. Then the defense attorney can't find a loophole that negates the ONE big charge and get his client off with only a few months on a handful of misdemeanors. Get him 7 or 8 charges that each carry 4 or 5 years, and push for consecutive sentencing, and you'll get the jailtime even if the defense gets some of the charges dismissed. And, were I a judge (luckily for criminals, I'm not) I'd see each server knockdown as a separate crime, and endorse consecutive sentencing - he had a chance to stop himself after screwing up each server, but he continued. So, he should also CONTINUE to serve time in jail after completing his time for each server. The actual judge probably will be much more forgiving...he might be sentenced to 10 years, but the judge will probably suspend 8 of them and let him get out "on good behavior" after just a few months. Then again, its Texas - he might get the firing squad.

    3. Instinct46

      Cloud Server

      It could of been a cloud based server, and if he'd delete and reconfigured a bunch of the hardware they may not of been able to connect to it

      1. Anonymous Coward
        Anonymous Coward

        Re: Cloud Server

        Could HAVE been.

        (Anon because I do post stuff that I fondly think is more significant and don't want to detract from that)

    4. Just Enough

      The quickest solution

      When you have a trashed server that needs to be forensically examined for a prosecution, what would you rather do in order to get you business back up and running ASAP?

      - Wait until it has been examined, then restore a backup, then examine it again to see what other nasty surprises might have been restored from the backup, before finally trusting it to start working with again?

      - Get in a new server, a clean install and a system you can trust ?

      1. Alan Brown Silver badge

        Re: The quickest solution

        Pull the drive, drop in a new one, reimage.

        the old drive is your forensics and being unplugged makes it unmodifiable.

    5. JCitizen
      Trollface

      One of da boys in Texas..

      Joe Vito Venzor of the Lucchese Boot Company got a deal he no can'na refuse! Bada-bing, Bada Boom!!!

  2. Dwarf

    An interesting point to add to the risk register for those partaking in cloudy stuff.

    The usual approach of "deny physical access and remote access" is no longer enough to buy time whilst accounts are disabled.

    Sure the AWS training courses includes information on Identity and Access Management (IAM), and what to do when the admin leaves, but how many would remember to do that on the day and how many of those would need a change request signed in triplicate to get privileged accounts changed "just in case something goes wrong", even though something worse can go wrong without the approved change.

    As for the Muppet who did it, good luck in your new career, since nobody will touch you for IT roles now.

    1. Anonymous Coward
      Anonymous Coward

      Which is why you link IAM to AD via ADFS. Disable the AD account and all IAM access disappears.

      1. d3vy

        "Which is why you link IAM to AD via ADFS. Disable the AD account and all IAM access disappears."

        RTFA

        He set up at least one new account they didn't know about.

      2. Joe Montana

        AD...

        If he had AD admin access you'd better lock all accounts, and change the KRBTGT password at least twice. He could easily have dumped the entire user database and have access to every single account.

        1. bombastic bob Silver badge

          Re: AD...

          "He could easily have dumped the entire user database and have access to every single account."

          right, and STILL have low-level access via some obscure user account, which [with the right tools] can get you admin access, depending on installed patches and running software, or a carefully installed back door (that would do it for sure). He ALREADY added a secret login with admin privs, so why wouldn't he put in a back door (or two) as well? [this is a good reason for "get new computer, re-build from scratch" to fix this]

          To add back doors, you could re-compile system stuff from modified source, or install your own dummy applications that run the real ones, or tack on 'virus-like' extensions to various programs that run in the context of 'root' or 'system' or 'administrator' and/or just install something that LOOKS like it belongs there, even signing it with your own certs [when needed] that you install [easy to do] when THAT kind of thing is necessary, yotta yotta yotta. Nothing new under the sun. These things are _EASY_ to do... which is why senior admins and/or managers need to watch out for that kind of crap.

          (but a lazy crooked sysadmin would probably install some "toolz" purchased off the darknet)

    2. chivo243 Silver badge

      @Dwarf

      +1, well said.

      "but how many would remember to do that on the day and how many of those would need a change request signed in triplicate to get privileged accounts changed "just in case something goes wrong", even though something worse can go wrong without the approved change."

      Not many approaching ZERO as HR and other less tech savvy departments usually have to be involved too. The cloud? Isn't that where we keep our stuff?

    3. bombastic bob Silver badge
      FAIL

      "As for the Muppet who did it, good luck in your new career, since nobody will touch you for IT roles now."

      well after 10 years in the Iron Bar hotel, he'll be 50-something and recently paroled, 10 years out of touch with the industry (no 'recent experience' in anything), and didn't even do anything famous/brilliant enough to get a consulting gig (to fight off other wanna-be hackers). So yeah. He's pretty much UNEMPLOYABLE in the IT field. And if his firing was for a really really good reason (like incompetence), there's that, too.

  3. NoneSuch Silver badge
    Coffee/keyboard

    No job is worth jail time.

    When I was laid off in a particular snotty fashion, I got a phone call a week later asking if I wouldn't mind coming in to brief the new IT guy. I declined.

    1. Dwarf

      When I was laid off in a particular snotty fashion, I got a phone call a week later asking if I wouldn't mind coming in to brief the new IT guy. I declined.

      The correct answer is that now I'm no longer employed by you, the consultancy rate is (5-10 x previous rate) and you would be happy to help, but given the circumstances, the terms are payment in advance.

      Obviously if you are still in the exit process and arguing about the package, then the same can be done on severance, again paid in advance.

      If they want it bad enough, they will pay. If not, then you tried to help, but it becomes someone else's problem. I think its called cause and effect.

      1. MonkeyCee

        "The correct answer is that now I'm no longer employed by you, the consultancy rate is (5-10 x previous rate) and you would be happy to help, but given the circumstances, the terms are payment in advance."

        You're way too nice :)

        Either I'm already there on consultancy rates, in which case it's my summoning cost is being met.

        If it's from a previous workplace, then I start with q request for a months salary for even looking at the proposal, and about a months salary = daily rate (or weekly = hourly).

        I am no longer surprised when people will throw piles of money at you to solve their shit, who only weeks earlier where bitching about paying you a buck or two more an hour, and how your skills where easily available in the marketplace.

        I am still a little shocked at just how quickly they agree. I'm obviously not charging nearly enough....

        1. Anonymous Coward
          Anonymous Coward

          months salary = daily rate (or weekly = hourly).

          Your way too optimistic!

        2. Prst. V.Jeltz Silver badge

          My partner has just left a small company where she is the only one who knows how to operate the "navision" finance system.

          It took her about 6 months from giving notice to leaving due to protests , screams , threats & pleading from the company.

          Time and time again , I told her "Consultancy rates!!!!" , but it never happenend :(

      2. Alan Brown Silver badge

        "The correct answer is that now I'm no longer employed by you, the consultancy rate is (5-10 x previous rate) and you would be happy to help, but given the circumstances, the terms are payment in advance."

        It's actually better to decline.

        If you start demanding high rates they may sic lawyers on the case claiming blackmail.

        I've seen it happen. Wait for them to make the monetary offer and give them time to worry you'll refuse.

  4. Will Godfrey Silver badge
    FAIL

    What a Muppet.

    What was he thinking, with all the very well publicised cases of rogue SysAdmins being thrown in the slammer.

    1. goldcd

      Re: What a Muppet.

      I'm pretty sure this wasn't a well thought out plan.

      Possibly the sort of 'planning' that got him the boot in the first place.

      1. Doctor Syntax Silver badge

        Re: What a Muppet.

        "I'm pretty sure this wasn't a well thought out plan."

        It sounds as if some preparations were made in advance.

    2. Robert Carnegie Silver badge

      Re: What a Muppet.

      If people don't know that you will demolish the company's IT if you are fired, then how do your preparations keep you from being fired?

      Maybe when he "became volatile" (was that the expression?) he was trying to explain what he could and would do if they went ahead and dispensed with his services.

    3. Anonymous Coward
      Anonymous Coward

      @Will

      Muppet is too friendly.

      Morons like that also ruin it for the serious IT staffers, because there will be employers who may start worrying about all this. The classic "can you really trust the IT department?" and that could have its affect an plenty of others.

      1. Danny 14

        Re: @Will

        Just wait a month and give some other spod adnin rights with your hidden account. Use their account to run an encryption virus on the server. Vpn the acces and away you go.

  5. Crazy Operations Guy

    Properly designed security

    In a properly-secured organization, you should always approach security as if the attacker has full admin access on your systems and has intimate knowledge of the network, specifically to prevent something like this from happening. Even if you trust your sysadmins, they could accidentally lose their devices with sensitive data on them and picked up by someone malicious, or if someone could compromise those people (Kidnap their family, blackmail them, etc).

    1. Anonymous Coward
      Anonymous Coward

      Re: Properly designed security

      Indeed! There's even this magical "new" thing called role based access, whereupon, get this, you only give limited access to anyone needing it, and further minimize risk by making more delineations in the roles where the work gets done. It's built into just about every software system I've seen. You can setup a class structure where only admin A can build a thing, and only admin B can give access to it, or other business role breakdowns based on the capabilities of the product.

      Although, that would require more people to man the operations and then making sure those roles are adhered to. And that requires well thought out planning and teamwork. Something that a shoe manufacturer may miss in their mad dash to cut costs in IT. I'm sure this madmin [sic] was of low cost and quality to begin with, and here's what you get for your money, Mr Boot CEO; fucked.

      Also, cowboy boots are made for; 1) actual livestock workers, 2) people pretending to be actual livestock workers IRL or on TV, and 3) racists.

      1. 404

        Re: Properly designed security

        Cowboy boots are also great for dancing, you uneducated judgmental sonuvabitch...

        1. Allan George Dyer

          Re: Properly designed security

          @404 - I look forwards to your production of Swan Lake in Cowboy Boots!

          1. 404
            Pint

            Re: Properly designed security

            lmao! Trying to imagine that...

            However, Two-Step, Country Swing, or mosh pit - they're great!

            aww hell! It's April Fool's Day... Trolls abound...

          2. Francis Boyle Silver badge

            Well I'm currently crowdsourcing funding

            for a production of Swan Lake featuring crossdressing lumberjacks. Sling me some money and I'll put them in cowboy boots of your choice.

            That's my April Fools done. then.

            1. Richard 12 Silver badge

              Re: Well I'm currently crowdsourcing funding

              That still wouldn't be the strangest production of Swan Lake.

              The classics have been "re-imagined" in almost every way imaginable. And will continue to be so.

              Still waiting for the zero-G edition.

          3. Anonymous Coward
            Coat

            "Swan Lake in Cowboy Boots!"

            I can foresee the final shoutout between Siegfried and Von Rothbart...

            (taking the duster for the duel...)

          4. Chiiirac

            Re: Properly designed security

            started on this already

            https://www.youtube.com/watch?v=FvZO-UYsehs

        2. Fr. Ted Crilly Silver badge

          Re: Properly designed security

          :-) Being a bit of a short arse meself, wanting to look a bit taller (i favour 1.5" heel, just enough y know) in worky formal clothes AND tbh when nicely broken in v comfortable too.

      2. Korev Silver badge

        Re: Properly designed security

        Having a zillion different admin roles is good for a medium to large company; however for a smaller company with only a few admins it'd just make their job very difficult as they have to look after everything.

      3. bombastic bob Silver badge
        FAIL

        Re: Properly designed security

        role-based access... "someone" still needs to set that up. They fire "that guy" and he retaliates. now what?

  6. Alistair
    FAIL

    IT guy gets fired and goes rogue.

    I just have to wonder how dependent they'd made themselves on this clown. There are things one does in cases like this, over and above the 'lock the users accounts'. (I've been on a couple of those phone calls, including once having to head to office at 22:00 and meet with police officers who wanted the logs of *everything* I typed into a CLI.). There's much to be said about incompetence here. On both sides.

    1. a_yank_lurker

      Re: IT guy gets fired and goes rogue.

      One issue is how big is the IT staff and their respective responsibilities. In a small to medium non-IT organizations there may be only 1 or 2 true sysadmins on the payroll. I have worked for companies small enough the onsite IT department was the most computer literate employee; usually someone who had a vague idea how a network worked and how install and maintain the anti-virus. Anything real serious would require bringing in an outside contractor.

    2. ecofeco Silver badge

      Re: IT guy gets fired and goes rogue.

      Most small businesses I've seen do not really have an IT department. As the other poster just said, it's usually on or two people or someone on-call at most and they are woefully underpaid and inexperienced.

      So they get what they pay for.

      Same for their actual systems. Obsolete and put together by some hack that would literally take weeks for an outside person to do discovery and mapping before even attempting to repair and optimize, which of course, they don't have the budget and time for.

      Theoretically, small businesses are an untapped goldmine for on-call and consultant IT, but in reality, it's a low budget nightmare.

  7. Anonymous IV
    Unhappy

    "Given the boot"

    Really disappointing that the author didn't manage to crowbar this into the piece somewhere.

    An opportunity missed. 7/10

    1. David 132 Silver badge

      Re: "Given the boot"

      Yeah. And was this admin the sole culprit? Heel be lucky to get another job, anyway - probably be on his uppers after paying off the fines.

      Sorry, I'm just talking cobblers.

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: "Given the boot"

      I wonder if he'd had previous spats with his employers?

      1. choleric

        Re: "Given the boot"

        The guy sounds like a real brogue.

        1. Francis Boyle Silver badge

          Re: "Given the boot"

          Bet the heel thought he'd get away with just a tongue-lashing.

          1. Korev Silver badge
            Coat

            Re: "Given the boot"

            Maybe these posts will spur them on...

  8. Doctor Syntax Silver badge

    No matter how ill-advised such revenge might be it's only common sense for management to try to part on good terms, just in case.

    1. John Tserkezis

      "No matter how ill-advised such revenge might be it's only common sense for management to try to part on good terms, just in case."

      Agreed. I've said this before, and I'll say it yet again:

      Never piss off your customers, they might not come back. More so, never piss off your employees, not only will they not come back, they'll leave a trail of destruction on their way out.

  9. Anonymous Coward
    Anonymous Coward

    Amateur...

    The way to successfully revenge-hack a company is to delay the attack long enough such that it does not appear to coincide with your being fired.

    Create your dummy admin backdoor account well in advance (because you're the kind of bastard that does this sort of thing, you're planning ahead, natch) and make sure there is an obscure VM that you created "for testing" and happened to leave running "on accident."

    Then after you are fired, use a free VPN (at a minimum, TOR would be better) from an Internet cafe (pay in cash) in another city; remote in to the VM and setup a self-deleting Scheduled Task on the server to nuke the database or bork the backups (or whatever havoc you wish to cause.) But the key thing is to set the start date/time for the malware launch in the future by at least 60 days. Then delete the VM and the back-door account and wait for your glorious revenge to serve itself.

    The other key thing to do is to NOT act all crazy when you're let go - be upset (you *are* being fired after all) but not angry so they won't immediately suspect you're an asshole.

    1. Anonymous Coward
      Anonymous Coward

      Re: Amateur...

      Wow, I can see you've put a scary amount of thought into this. I had always figured that if I were in this kind of situation, the most sensible, measured and mature response would be to throw toilet roll over the ex-employer's building, or leave a flaming bag of dog poop at the main entrance. I may have to reconsider this as a strategy...

    2. This post has been deleted by its author

      1. John Tserkezis

        Re: Amateur...

        "If you're good enough to set that up, you won't be sacked."

        Clearly, you've never worked for some of the empoyers I have.

        That is, during a takeover, they sacked the sysadmin along with some others.

        It was a bit of a "don't come monday" thing.

        Management forgot he had all the passwords, and the keys to the computer room with him. Oops.

      2. bombastic bob Silver badge
        Pirate

        Re: Amateur...

        "If you're good enough to set that up, you won't be sacked."

        Or, you'll be called in after the time-bomb detonates, to help with the forensics and cleanup. At Month:day or week:hour ratio consulting rates, of course! And, if you play your cards right, they'll not only be HAPPY to sign the checks, they'll call you in periodically for other things, too.

    3. Andromeda451

      Re: Amateur...

      we hang'em in Texas...

    4. gnasher729 Silver badge

      Re: Amateur...

      I'll just duplicate what someone said elsewhere: The best and totally legal revenge is to find a better job that pays a lot more, and then mail the employer and all your former colleagues how much more money you are making now.

      1. Korev Silver badge

        Re: Amateur...

        And in the future one of your colleagues maybe be asked "You used to work at $OLDCO, do you remember what $IDIOTADMIN was like?". In these situations their answer tends to be "make or break" for the candidate.

        1. Danny 14

          Re: Amateur...

          Why do all that? Just post the secret admin account on 4chan. Someone on there will do far funnier things. Make sure all the secret account details look ooke they were created by the boss. ADSI edit creation dates for good mrasure (way before you joined)

  10. Your alien overlord - fear me

    Something not right in the article - he shut down the mail server and then the IT director read the guy's corporate emails. Whilst the server was down? Now that is an IT director !!!!

    1. Anonymous Coward
      Anonymous Coward

      read the guy's corporate emails. Whilst the server was down?

      That's not unusual - the emails were probably cached on the culprit's PC.

    2. tfewster

      Presumably by changing the heels password and booting the workstation he had sole access to?

      Still, not smart enough to keep track of what admin accounts existed

    3. Blake St. Claire

      perhaps he just turned it back on?

      If all he did was shut it down, maybe it was as simple as turning it back on.

      1. VanguardG

        Re: perhaps he just turned it back on?

        Article says some files were removed to prevent the server from coming back online. Apparently did that with several. Be rather pointless to simply turn the thing off, after all...though with Exchange, there *is* a good chance you'd foul up the datastore(s) with a dirty shutdown.

    4. eionmac

      old POP3 email?

      old POP3 email client? residual on departing admins computer.

    5. Vic

      Now that is an IT director !!!!

      It's a very simple thing to do - but yes, probably exceptional for most people of Director level.

      Vic.

    6. VanguardG

      Without a server connection, so long as one DC was up, change the password for the guy's account log into his computer, open Outlook. I'll fail to connect to the server, but if running in cached mode (the default) the OST stored locally will still have all the emails.

      Points for IT Director knowing what a password is, though.

  11. John Savard

    Lenient

    In one important way, penalties for these offences are too lenient.

    No part of the payment of any fine levied for an offence of this kind should be accepted until complete restitution is first made to the victim. Because a criminal should never be able to pay a fine with his victim's money, and what is owed for vandalism should be treated exactly like stolen property.

    1. DavCrav

      Re: Lenient

      "No part of the payment of any fine levied for an offence of this kind should be accepted until complete restitution is first made to the victim. Because a criminal should never be able to pay a fine with his victim's money, and what is owed for vandalism should be treated exactly like stolen property."

      What? In what sense is this lenient? He has to do both. If he goes bankrupt because of it, somebody doesn't get the full due, and you can just decide which one later. But, quite clearly stated in the article, he has to pay compo to the company.

  12. x 7

    Idiot! He left a trail with the e-mails. He should have purged any that were incriminating as soon as they were sent

  13. psychonaut

    cowboy boot manufacturer

    im not buying boots from them then.

  14. heyrick Silver badge
    Happy

    "He was arrested shortly after the attack by the FBI"

    Okay, I know what you meant to say, but really this would read so much better the other way around, like "The FBI arrested him shortly after his attack" or something. As it stands, it looks like the FBI performed the attack. Wait! Maybe they did? Maybe they're just using the admin as a fall guy?

    ...

    div id="april_first_message" - cute!

  15. Neil 44
    FAIL

    A new word for the Texans...

    ... BACKUP !!!

    What he did resulted in something similar to a disaster recovery - wouldn't they have been in the same boat if there had been a fire / flood / lightening strike / tornado / rogue lot of steers .... ?

    1. Anonymous Coward
      Anonymous Coward

      Re: A new word for the Texans...

      Or ransomware, or a bug, or a hacker or ...

    2. Anonymous Coward
      Anonymous Coward

      Backups are for the faint of heart...

      .... Texans and Klingons don't backup. They will rewrite data on the disk with your blood using a Bowie knife or d'k tahg, whatever applies... or pay a Ferengi consultant to recover the data (consultants are always Ferengi anyway).

  16. EveryTime

    "Just revoke his access"... ??

    There is no simple answer. The company undoubtedly did cancel his obvious accounts. And he simply used an alternate account, not linked to him by name.

    This demonstrates that even an as-hole with abysmal operational security can completely screw up an installation, There isn't any hope of absolute security when firing someone that has better planning skills and impulse control.

  17. Anonymous Coward
    Anonymous Coward

    Lame

    What an idiot.

    Should have left database triggers and cron jobs that run update scripts with innocent sounding names that randomly (but with a gradually increasing frequency and severity) make slight changes to the data that accumulate over months to corrupt the database, leave no way of figuring out what data is correct and what isn't, and which renders backups useless because they all contain variations of the corrupt data.

    Phone numbers and email addresses with transposed digits, swapping customer order records with each other, altering dates, receivable and payable amounts, stock levels and locations, compliance data that'll attract regulatory penalties if wrong, getting worse and worse until it's inevitably discovered and no longer attributable to human error, but far too late to do anything about because like a cancer it's spread -everywhere-.

    If they dare fire you, burn them to the ground slowly. Bonus if you can pin the blame on another employee, and end up getting called back to consult about fixing things ;D

    C'mon, if you're going down the route of being a sociopathic sysadmin, do it right.

  18. Anonymous Coward
    Anonymous Coward

    Our IT folks vandalize daily...

    Their daily decision-making seems to be precisely tuned to inflict endless inefficiencies on the organization. They perform this destructive role from their office, as employees.

    It'd be criminal if they did it from home.

    One example is that they can't be sufficiently arsed to work up the energy to purchase €300 backup recovery software that can traverse a pathname longer than 230 characters. So hundreds of their colleagues are mandated by insane IT edict to spending their entire careers trying to cram multimillion €£$ projects into the remaining characters after most of the 230 characters have already been consumed by the larger company folder hierarchy. Then suppliers send in files with huge names, that must be renamed A.docx and B.docx to fit. Staff have pointed to the solution, which being cheaper than the problem is thus effectively free. This is just one example of on-the-job vandalism.

  19. russsh

    The real question is

    Did he release a boot sector virus?

  20. Anonymous Coward
    Anonymous Coward

    Hmm...

    Id like to know more about the situation surrounding his firing before I brand this guy an asshole.

    Sure what he did was criminal, however, being fired and escorted off the premises sounds a bit odd to me.

    1. ecofeco Silver badge

      Re: Hmm...

      Naw, I've seen plenty of people act very dangerous when being fired.

      I've met a lot of angry people who make life miserable for those around them at work.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmm...

      Escorted off the premises was SOP for anyone at my last company, even if all you did was give two weeks notice. If you told them you were going to work for anyone remotely considered a competitor, bam – here's a box to collect your things while someone watches over you, then out the door you went. Anyone laid off got the same treatment.

      The trick to not being frog marched out the door was to tell them you were going to take some time off.. Of course then you had to come in every day for two more weeks and listen to your boss whine about getting those loose ends tied up* and doing knowledge transfers.Pick your poison

      When I left I chose to keep my dignity, but I still took all my personal stuff home well in advance of giving notice – just in case. I took time off – Saturday and Sunday – before starting at my new company.

      * I might have been more diligent about tying up those loose ends if I hadn't lost a bunch of vacation time due to them changing the vacation accrual policy the year before. Basically they stole my accrued vacation time right as I was about to take a month's vacation. I still had a negative balance when I handed in my resignation and they dunned my final paycheck as a result, fucking bastards.)

      1. VanguardG

        Re: Hmm...

        A system manager/system admin should always be paranoid. I was laid off once and left to pack and leave by myself (they did have the other, surviving network admin disable my logins while I was meeting with the CIO, the first, last, and only time he ever spoke to me). I had to go by five managerial offices to even find someone at a management level to turn my keys over to, everyone else was either absent or behind closed doors. At another job, where I was also laid off, I had the full "Manager will escort you to your desk to get your things, and then out the door" treatment, *and* once as a contractor I wasn't even allowed to go to my desk after being told I was being let go - the contract recruiter went to get my things - I got most of them...just lost my cable-testing kit, which the recruiter said he "couldn't find". So, I've pretty much experienced the gamut. I'd never retaliate - beyond making rude hand gestures every time I drive past the building the company is in. Revenge might cause some stress for the few people involved in the decision to release me, but *everyone* employed there is impacted, including those I would count as work-friends.

  21. Anonymous Coward
    Anonymous Coward

    Check your mailing lists

    At one of my customers, one of the admins (a member of both the in and out-of-hours teams) was let go at 5pm on a Friday. It wasn't done horribly. They were allowed to clear their desk, say goodbye to everyone they wished to and then escorted from the building, which was company policy.

    The duty sysadmin then set about changing the credentials on all the systems and cloud instances they had access to. This took about two and a half hours. He then emailed the revised credentials spreadsheet to the sysadmin mailing list so the out-of-hours team all had it and weren't locked out.

    About 15 minutes later, the password change guy had a thought, "Did I check the sysadmin mailing list?" He did and found a personal email account belonging to the person who had just been let go was on it so he'd just emailed all the new credentials to them. It wasn't unusual for members of the out-of-hours team to have personal email addresses on the list to ensure they had updated passwords in case there was an enterprise email outage when they were changed. After a brief facepalm, he set about changing all the credentials again. I found him still in the office at 10pm muttering what a **** he was.

    Fortunately, the exposure was mitigated by the fact that the person had been let go for being useless rather than for any form of misconduct so they probably lacked the where-with-all to carry out any nuclear level revenge but the situation was still far from ideal.

    The moral of the story: Check your mailing lists to see who is on them before sending out password change notifications if you've let somebody go.

    1. Anonymous Coward
      Anonymous Coward

      Re: Check your mailing lists

      This is why you DO NOT SEND PASSWORDS BY E-MAIL!!

      Can anyone else see how this is a monumentally stupid idea?

  22. Anonymous Coward
    Anonymous Coward

    Termination processes

    Its a good idea to have termination processes for Sysadmins. Understand the risk of letting go of a disgruntled employee. But, there should also be a Business Impact Analysis, with a DR Plan. That way, if the risk isnt mitigated, you have a plan to maintain business operations.

  23. Bob Hoskins
    Trollface

    Revenge is a dish best served cold

    Saw a similar thing a few years ago but the guy was able to hold his wad for a few months then installed full-disk crypto on all servers before bouncing them. That made forensics a little tricky.

  24. Potemkine Silver badge

    "Suspecting the obvious, the IT director investigated Venzor's work email account and found he had emailed a document to his private email address"

    When someone is so stupid, he really deserves to get caught...

  25. Archivist

    AC's retribution

    Amazing how many ACs have suggested better ways of bringing down the company after you're fired. This gives a appreciation of some people's mentality. Sure you've been wronged by the company (in your opinion anyway), but what will you gain by it? You'll just become more bitter.

    Worse is that it will affect your ex-colleagues, they be laid off or even lose their jobs. Is it really true that Sysadmins have no friends?

  26. MJI Silver badge

    Company were also stupid

    They sack a sysadmin without protecting their system.

    Sack someone and you make an enemy. As soon as you are considering it make sure that you can protect your system.

    Bring them into the meeting, chat about why and how sorry you are to let them go. Offer a nice (but honest) reference. Keep them there.

    While this is happening change all passwords, temporarly block all remote access, make sure your backups are OK.

    If there is no new sysadmin ready to drop in, oh dear!

    Remember there are people who think BOFH is a documentry.

  27. SotarrTheWizard
    Mushroom

    Someone I knew. . .

    . . . .back in Netware days, had a "Pearl Harbor" process running on his network. He would have to reply to a prompt with the correct passphrase every (14+RND) days, or it would start another (14+RND) day timer.

    He never had to use it: the Boss let his nephew "inventory" the server room, and there was enough damage done (these were the days when a sudden power-down could crash disk heads. . . ) that the company went out of business. . .

  28. hi_robb

    Hmm

    Wonder if it was a spur of the moment thing....

  29. Stevie

    Bah!

    Amazing how many here assume the blame lies with the company rather than the scumsucker SA who brought us all into disrepute with this unethical, illegal, downright criminal act.

    Forget the shiny and look closer at what the report says: That this a-hole was installing clandestine ways to subvert their shop long before he was fired. Maybe his skulking around had raised suspicions? I don't know but he clearly wasn't a team player for a long while before the Chat in the Office took place.

    I guess IT professionals get a free pass from some quarters no matter how fucked-up their actions. Always the Mundane's fault no matter how they jump to do what IT specialists say they should (in this case, hiring someone who knows what needs doing because they obviously don't).

    Clearly this was a small shop that only had the one high-octane SA in the trenches. Whether that was because this one engineered the office politics that way (been there, seen that) or the company had no-one to share the duties is not clear and not - when you get down to it - relevant.

    I like to remember the oft-repeated warning from just about any chapter on computer security: nothing can protect you from a competent insider with the urge to sabotage.

    I await the inevitable announcement of the deployment of the Asperger's Defense.

    1. VanguardG

      Re: Bah!

      Ultimate blame for this idiot's actions belong with the idiot. No doubt about that. Still, the article says it took a considerable time to physically remove the guy from the premises, and there was time spent for the idiot to get home. The manager knew HOW to change system passwords. Obviously the guy was not happy about the change in employment status, and the IT manager should have gone right to his desk and started changing passwords to every system as fast as he could do it, instead of trying to help get the guy outside. Its Texas, I'm sure they had some good-ole-boys in the manufacturing plant that power-lift pickup trucks for a hobby; they could have called upon for help.

      The manager failed to close and lock the proverbial door. Doesn't make the SA in the right because he used it, and who knows - maybe the SA had backdoor accounts to use if the normal ones were changed. Still, the manager didn't implement what should be standard process - whenever anyone at a senior IT level leaves, regardless of circumstances, you change *all* the passwords immediately. Even if the guy left because he was "of a certain age" and leaving only because of mandatory retirement guidelines, he shouldn't be out the door before someone was busy changing passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like