
Siemens contractor pleads guilty to planting logic bomb in company spreadsheet - jaden
https://www.zdnet.com/article/siemens-contractor-pleads-guilty-to-planting-logic-bomb-in-company-spreadsheets/
======
deogeo
So this gets prosecuted as a crime, while
[https://www.pcworld.com/article/2066400/lg-smart-tvs-
share-d...](https://www.pcworld.com/article/2066400/lg-smart-tvs-share-data-
about-users-files-and-viewing-habits-with-the-company.html) doesn't? Why? Both
cases involve someone buying something sabotaged, and would fit nicely under
the CFAA.

~~~
danso
Where in your article does it describe something being sabotaged?

~~~
deogeo
"But even after turning off the feature, the TV continued to share viewing
habits with the company"

~~~
danso
Where is the _sabotage_? The article you're sharing is from 2013. In the 6
years since, has there been a followup that shows that this malfunction was
intentional, i.e. not a bug? And any documents that describe the intended
malbehavior?

The Boeing 737 MAX crashes killed a lot of people, but the corporate behavior
behind that is going to be treated differently than an airport mechanic who
tries to sabotage a plane's equipment (nevermind leaves evidence of intent,
and later pleas guilty to it)

~~~
deogeo
> In the 6 years since, has there been a followup that shows that this
> malfunction was intentional, i.e. not a bug?

Why assume it's a bug? That should be for them to prove. And why would there
be a follow-up if they never get prosecuted in the first place? Follow up by
_who_?

> And any documents that describe the intended malbehavior?

Selling devices that betray their owners isn't enough - they'd have to also be
incompetent enough to create _documents_ that is what they intended?

Just what kind of insane standard of proof do you require for a prosecution to
start (not convict, _start_ )?

~~~
danso
> _Just what kind of insane standard of proof do you require for a prosecution
> to start (not convict, start)?_

Cite the relevant criminal statute.

~~~
deogeo
I already have, in the very first post.

~~~
danso
So are you going to cite the specific section, or are you avoiding it because
you don't want to talk about the parts that say "knowingly and with intent"?

~~~
deogeo
They knowingly and with intent implemented spying functionality, and knowingly
and with intent made a button that claims to turn it off. The only part they
_might_ not have done knowingly and with intent is the part where that button
does nothing.

Now they're free to argue that was a bug, but they should do so in court -
just how much benefit of the doubt do you think they should get before a
prosecution is launched? If there's a murder, do you just _assume_ it was in
self-defense, without any evidence offered to that effect?

------
barbarbar
It seems strange that a company like Siemens is relying on spreadsheets for
processing orders. And continue to do so when they start to malfunction.

~~~
olliej
Spreadsheets are a remarkably effective way to get things done, especially
table driven things.

Lots of “non programmers” can accomplish a huge amount with spreadsheets, and
if you occasionally need something more advanced you can get a professional
software dev to implement it.

Compress that to the alternative: paying someone to develop a pile of custom
software, and then if your needs change you require a contractor to come in a
modify that code for you. Typically you have to use the original contractor
because such contract don’t usually include source access.

But seriously: don’t underestimate the power of spreadsheets.

------
ricanare
Reminds me of the printers that would show error messages after a while just
to get you to buy a new one. Seems to be part of the culture to cheat people
that don't know too much about IT and that is really unfortunate.

------
didibus
Wow, I'm surprised this is considered a crime, and not just some civil lawsuit
case. What are the criminal laws that this applies too to justify the jail
time?

~~~
danso
Why would it _not_ be considered a crime? There is intent to do great damage
to the company.

~~~
didibus
Take what follows with a grain of salt, these are just thoughts that quickly
crossed my mind, I haven't spent much time elaborating the ethics of this all.

First I thought of all the things that warrant and don't warrant jail time,
the financial crimes, the inappropriate loaning practices, the breaking of
NDAs, the intentional lock in that some software systems put in place, the
theft of code by John Carmack, the lack of security measures to protect user
data of most companies, the inappropriate use of open source work without
respecting the license terms, etc. If these don't warrant jail time, why this?

Then I just wondered about the inherent act. Let's say it was unethical. It
still feels harsh to me to give it jail time. You say great damage, but I see
it more as lesser benefits. Clearly, the excel sheets actually saved the
company money over many years, otherwise they would just have gone back to
doing it manually or paid for some other system. This is even including the
time bomb. So overall it feels like Siemens was still content and happy with
the whole thing. There was no act of say infecting other systems or stealing
data, or ramsoning, etc.

Then I wondered about the precedent this can set. Could I be liable for jail
time for a bug I mistakenly introduced, what if a company with good lawyers
made a case it was introduced on purpose as a time bomb? Maybe I made a
variable an int instead of a long one day and it overflows and I get sent to
jail for it? Do I have to worry about that now? Any limits I put in a system
could be seen as a time bomb and cause me to go to jail.

Finally I thought about the idea of shelf life. I hire a home contractor and
they cheap out on the number of nails and material used? Doubt they go to jail
for that, even though it was intentional. What about appliance manufacturer
building appliances they know won't last very long? What about products that
can't be repaired intentionally? None of that, that I know of, results in Jail
time? So why is making software that doesn't last forever warranting jail
time? Why isn't just contractual? Did they specify how long it had to work?
Why can't software have a shelf life?

