A man from Texas was recently convicted of sabotaging his former employer’s computers by launching attacks from his own development server.

Developer convicted for “kill switch” code activated upon his termination

Eaton Corp. discovered the malicious code while trying to end the infinite looping causing the systems to crash. They soon realized the code was being executed from a computer using Lu's user ID, a court filing said, and running on a server that only Lu, as a software developer, had access to. On that same server, other malicious code was found, including the code deleting user profile data and activating the kill switch, the filing said.

He wrote several different attacks, seemingly focused on denying availability of systems and preventing employees from logging in.

His efforts to sabotage their network began that year, and by the next year, he had planted different forms of malicious code, creating "infinite loops" that deleted coworker profile files, preventing legitimate logins and causing system crashes, the DOJ explained. Aiming to slow down or ruin Eaton Corp.'s productivity, Lu named these codes using the Japanese word for destruction, "Hakai," and the Chinese word for lethargy, "HunShui," the DOJ said.

[…]

This kill switch, the DOJ said, appeared to have been created by Lu because it was named "IsDLEnabledinAD," which is an apparent abbreviation of "Is Davis Lu enabled in Active Directory." It also "automatically activated" on the day of Lu's termination in 2019, the DOJ said, disrupting Eaton Corp. users globally.

First, this is objectively funny1. Sure, bad performance reviews, reassignment, and layoffs all lead to resentment and bitterness. It’s normal to feel like you need to lash out. But actively sabotaging your company feels straight out of a soap opera or Office Space or something. Normally the point of this newsletter is, “what can we learn from this?” But let’s skip learning. Let’s just enjoy this.

In the rest of this post, I will describe his methods and rate each of them. Are they effective methods of sabotage? How damaging could they be? Are you likely to get away with it? How well did the attacker apply the technique?

To recap, he is accused of the following:

• Infinite loops and fork bombing

• Preventing users from logging in globally

• Launching attacks from his own development server

• Preventing coworker logins by deleting their profiles

• Researching malicious attacks on his company laptop

• Deleting data on his company laptop

Let’s get into it!

Infinite loops and fork bombing (B tier)

Resource leaks are insidious. They are often difficult to diagnose and remove.

According to the indictment and the DoJ press release of his conviction, he wrote infinite loops that allocated Java threads until the services would hang or crash. The relevant code was executed from his development server, effectively “fork bombing” the production servers using threads instead of processes. This is a ham-fisted way of using a reasonable sabotage technique.

It sounds like these were obviously malicious, but that’s just because he lacked imagination. Let’s imagine for him. What if he had done either of these:

1. Wrote threads that solved real problems, but at the end of the function they wait on some I/O that never happens. Create a new work thread each time that task needs to be done.

2. Spawns a “logging” thread on some rare condition, where it tries to log to a file that it doesn’t have permission to access. Write the log statement in a loop that retries on error after sleeping for 1 second. Add a comment that says, “// retry; fails nondeterministically due to network latency in backing storage”

Then it would have taken a while for anyone to notice. Maybe the company even wastes a bunch of money on server upgrades. And when they finally do notice, you can simply say “it worked on my machine” and worst case you look incompetent. Nobody could truly prove that you intended to ruin the servers.

Worldwide outage when active directory account is terminated (D tier)

On his development server lived a function named IsDLEnabledinAD. This is objectively the funniest part of the story. It calls to mind the old Nathaniel S. Borenstein quote:

No ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter.

What did IsDLEnabledinAD do? It was designed to prevent users from being able to access the servers, and activated and prevented thousands of users globally from being able to access systems.

If we’re only considering damage, this is probably A tier. You want revenge. Give everyone the middle finger. Burn it all to the ground.

But if you’re a normal person and trying to avoid jail? Obviously F tier. What do you think will happen if — without any warning — every single person can no longer access the computer system? Are they going to say, “Wow, good game. You heckin’ got us.” No! They’re going to figure out what is going on, then figure out that you did it, and then call the police because you maliciously attacked the company. There’s no way to clean this one up. They’re going to notice. They’re going to get mad. They’re going to come after you.

So this is basically an F-tier attack that gets upgraded to a D because it certainly meets his itch for going out in a blaze of glory.

Launching attacks from his own dev server (D tier)

Once they figure out that it’s you, they’re going to look through your dev server and every single backup they made. Your goose is cooked.

This should obviously be an F-tier mistake. However, aren’t there some weird security practices at this company?

I have some sympathy for the following line of thought: “nothing at this company is done correctly. We mix the development and production environments. Everything is ad hoc. We leave servers running all the time that nobody understands. Hell, I have permission to call arbitrary endpoints on our production services from development. They will have no idea what I’m doing. I can surely get away with this.”

Of course, this isn’t a correct line of thought. Just because the company makes one mistake doesn’t mean it makes every mistake. If you have your own VM that other people cannot access, and there’s no way to add a new server without going through an explicit request flow, I guess that’s where you’d do it? But couldn’t this guy wait until someone got up from their computer without locking it? Surely there had to be a way to pin it on someone else.

Preventing coworker logins by deleting their profiles (F tier)

People are going to notice this, they will investigate, they will discover what you did, and they will get mad.

This is similar to the outage reasoning, but without the “blaze of glory” boost. It’s just too obvious that something is going wrong.

Researching malicious attacks on his company laptop (F tier)

This is an open-and-shut case. Don’t do this if you’re in the crime business. It’s the company’s laptop. They’re gonna monitor it. They might record every keystroke you make. They might mirror every file in your browser folder. They might even make backups and review the contents of the backups later at their leisure.

It’s even worse when you consider that everyone has smartphones these days. Just take it out of your pocket and search there!

Deleting data on his company laptop (D tier)

OK, so you’ve already made a huge mistake. You’ve stored an incredible wealth of incriminating evidence on your company-issued laptop. You’ve been Googling a ton of incriminating evidence. Your fork bombs are firing and you know that your outage trigger is going to run later.

Every single decision you’ve made has been bad. You might as well keep the ball rolling. Increase your legal liability. Give the newspapers something else to report. At some point surely your mistakes will start canceling out, right? Also, please for the love of god this is not legal advice, do not do this.

This is D instead of F tier because you’ve made so many mistakes that maybe some will start canceling out. Maybe you’re lucky and the company’s backups don’t work, or they don’t actually take backups. You might get in trouble for deleting encrypted volumes, but the contents of the volumes might have gotten you into more trouble. Make the company prove that they can actually recover all of that data.

Combined score (F tier)

Honestly, a disappointing showing from the kill switch guy. Most of his attacks were designed so that he would be the obvious sole culprit, and were also very noticeable. Of course he was going to get caught. The only interesting technique he attempted was the resource-denial attack using an infinite loop to spawn threads. This just goes to show: crime doesn’t pay2.