
Contractor admits planting logic bombs in his software - pkilgore
https://arstechnica.com/tech-policy/2019/12/contractor-admits-planting-logic-bombs-in-his-software-to-ensure-hed-get-new-work/
======
ChrisSD
In 2011 Tinley had refused to hand over the password to unlock the spreadsheet
for editing when asked, claiming he was protecting his work product.

> For years, the spreadsheet would glitch, Tinley would be hired to come in,
> would "fix" it, invoice Siemens, and head out again. But that all changed in
> May 2016 when Tinley was out of state, and Siemens called again about the
> spreadsheet. The company had an urgent order it had to put through, it told
> Tinley, and it wasn't working properly again. Pushed, Tinley relented and
> handed over the password.

[https://www.theregister.co.uk/2019/06/25/siemens_logic_bomb/](https://www.theregister.co.uk/2019/06/25/siemens_logic_bomb/)

~~~
auggierose
Must have been a brain freeze moment to hand over that password.

~~~
3fe9a03ccd14ca5
Sounds to me like they used Tinley being out of state as an opportunity to
push for the password. I’m sure they were suspecting something at that point.

~~~
rumanator
My guess is that they started suspecting something when he refused to hand
over the password the first time, or at most the first time a problem occurred
and he was the only person capable of fixing it.

------
mgleason_3
Wow, does 6-months in jail seem a little severe? How does one even get someone
prosecuted for this crime?

We hired a licensed plumber on 2 occasions - to install a sink and later a
shower.

We just had a different plumber out because the sink was plugged up. He
pointed out that the prior plumber had installed the sanitary-t upside down
basically guarantying it would eventually become clogged.

We also had him look at the shower because we couldn’t figure out how to get
the screen out to clear the hair. Turns out the grate was also installed
upside-down and the screws holding the screen in are in-accessible. So, there
is no way to get it out without demoing the shower.

Should this plumber be sentenced to 6-months in jail?

~~~
jlarocco
If he's purposely making mistakes to get work in the future then I don't think
6-months in jail is that bad. It's just plain fraud isn't it? Not to mention
an expensive inconvenience for all of his customers who have to deal with his
shoddy work.

On the other hand, it's entirely possible the plumber made an honest mistake.

~~~
taxidump
This sounds similar to planned obsolescence, so the moral is if you design it
that way, as a manufacturer, you are ok. Definitely a grey area here.

Edit: After some thought, I feel a precedent. My car has parts that don't
become obsolete, they flat break requiring never ending service. Surely I can
sue for fraud as the auto company has the ability to use another means.
(Devils advocate)

~~~
manfredo
Deliberately introducing errors in one's work to defraud an employer is not
remotely close to planned obsolescence. Planned obsolescence is not the
deliberate introduction of malfunctions, it is the engineering tradeoff
between longevity and other characteristics.

For example, Apple noticed that most customers replaced their phones within
2-3 years. A lithium ion battery's lifetime is determined by its charging and
discharge characteristics. Its life is extended if it is charged more slowly
and neither charged or discharged fully. But this increases charge time and
reduced usable battery capacity - both of which are key selling features for
smartphones. So Apple optimized the iPhone's battery management to deliver
good charging and usable capacity, with the tradeoff that it would degrade
significantly beyond 2-3 years of use.

This contractor's activities would have been analogous to Apple introducing
code that checks the current timestamp with the timestamp from when the phone
was sold and degrading performance when that difference exceeded a threshold.

~~~
perl4ever
"Deliberately introducing errors in one's work to defraud an employer is not
remotely close to planned obsolescence"

Perhaps, but it's two points on the same continuum.

~~~
manfredo
No they are not. One is intentionally, secretly, and illegally introducing
flaws to defraud an employer. The other is managing tradeoffs based on
technical constraints.

~~~
perl4ever
I don't think that planned obsolescence is unintentional. If it's not
completely _secret_ , it's not _admitted_ to either, and it's not illegal
because it's not illegal.

Is it particularly that you think that there isn't a continuum from legal
actions to illegal actions? Isn't it possible and common that two instances of
similar actions can be on the right and wrong sides of the law?

~~~
manfredo
Planned obsolescence is not at all unintentional, it is highly deliberate.
Every product needs to plan for it's intended lifespan, from phones to nuclear
reactors.

Planned obsolescence and what this contractor did are not on any sort of
continuum. This contractor was not making a trade-off, he deliberately
sabotaged his work. This is not on any sort of continuum with optimizing
phone's battery life for a certain number of years, or making similar
tradeoffs.

~~~
mandelbrotwurst
I agree with you to the extent that companies design their products to become
obsolete in a way that actually considers all of the trade-offs in a way that
makes optimal use of the resource at hand and does not intentionally shorten
the lifespan of its products in an attempt to boost sales at the expense of
generating additional waste and reducing the value of the finished product.
Once you start doing that, you ARE being intentionally destructive.

------
rustybolt
Shows the importance of code reviews.

I wonder why this is illegal but it's legal for hardware to deny service or
even break stuff when they detect you're using something they don't like (I'm
referring to printers, but I also remember a case where a microcontroller
would try to brick something when it detected a counterfeit cable).

~~~
elldoubleyew
What was the case of the microcontroller detecting the counterfeit cable? I
don't think I've ever heard of this.

~~~
orev
APC does this on UPSes. It’s an extremely bad practice that drives people
crazy. They use a standard connector, like serial, RJ45, or USB, but with a
non-standard pinout and give you a custom cable. God help you if you throw
that cable in a box with other standard cables. And if you plug a standard
cable into this non-standard port, the UPS panics and completely shuts down,
including anything you have connected to it.

APC devices are generally pretty good, except for this infuriating and
dangerous “feature”.

It’s almost 2020, and vendors still have this ridiculous idea that they can
lock you into their proprietary ecosystem by doing stuff like this.

~~~
bashinator
I actually know why this is a thing! Originally, APC UPS's used RTS/CTS flow
control on the RS-232 connector for communication with the host PC. They
wanted to maintain this compatibility (which used a nonstandard wiring) when
they later added the Smart-UPS protocol.

That said, there's absolutely zero reason to keep maintaining this ancient and
dangerous option.

------
javagram
Apparently it was a password protected spreadsheet.

Which seems like incredible incompetence of the company to accept code in that
format in the first place and to not have demanded the password when the first
issue arose.

~~~
zelon88
If you dump the XML and remove the <sheetProtection password=/> line you don't
even need to ask for the password.

~~~
arthurcolle
Haha really? That is hilariously insecure.

~~~
zozbot234
I surmise that the password feature is _not_ meant for true security. It's not
protecting the whole document, just the spreadsheet formulas and VB code.
Requesting a password for changes to the formulas obviously prevents
accidental mistakes, and makes it unambiguously clear that only some people in
the enterprise (those who know the password) are 'supposed' to make these
edits. Quite clever, as far as it goes.

~~~
kevindqc
Makes sense. The software needs to access that code for the spreadsheet to
work, so if it was encrypted for example, then the spreadsheet would be
unusable unless you know the password

~~~
arthurcolle
I guess in any case, if you really care about security, you could just encrypt
the file separately and only send someone the encrypted binary.

------
hurricanetc
I read the DOJ link and it just states “intentional damage to a protected
computer.”

If he had accidentally written sloppy code that happened to break periodically
would that have been illegal? I don’t fully understand what law he broke and
how such a law would not also apply to the seemingly infinite cases of built
in obsolescence.

~~~
tc313
> If he had accidentally written sloppy code

The damage was intentional (i.e., not an accident).

~~~
hurricanetc
Right. In this case he plead guilty and admitted to having done it. I am just
curious as to which specific laws he broke and whether it is possible to
inadvertently break these laws by being a horrible programmer.

If he had intentionally created a spaghetti code mess that just happened to
break from time to time would that be different? I assume intention is
difficult to prove in court but I am not an attorney.

~~~
elcomet
> If he had intentionally created a spaghetti code mess that just happened to
> break from time to time would that be different ?

Clearly, yes. Here Siemens decided to go to court because it was obviously
malicious code. With a spaghetti mess they would just have hired someone else
to clean it.

------
EGreg
I once wanted to put a logic bomb for a client that was a startup and for
months (years?) prioritize paying others. I had accumulated $30K in debt for
them as they told me the sky is falling numerous times and that they’d pay me
as soon as the next money came in. They just had raised hundreds of thousands
but paid their own salaries and large empty office instead.

I knew I’d have the upper hand if the site suddenly stopped working. But I was
afraid of some kind of “hacking laws” being “exceeding access” or whatever
(probably stupid given what was realistic) and never did it. My only
acceptable option was to do a DMCA takedown at AWS because they had never
signed a copyright assignment.

Anyway long story short I never got paid. Been too nice / scared. And the
startup went out of business. Many of its investors were pissed. The usual.

~~~
jlgaddis
It's probably for the best that you didn't go through it and -- although it
obviously sucks that you lost $30K in the process -- hopefully you learned a
lesson from it that prevented it from happening again!

------
Rainymood
Malicious compliance by the contractor. Hilarious incompetence by Siemens.

~~~
pc86
How is this malicious compliance? He wrote code to intentionally stop working
at certain times in order to defraud Siemens by getting them to pay for what
is essentially the same work over and over again.

------
hamilyon2
It is somewhat like drm, but nobody goes to jail when books stop opening and
old games break

------
bilekas
I would be curious how they came to realise what was happening.

Also, how were the contractors changes not reviewed?

If the same engineers work keeps throwing unknown problems down the line, the
LAST thing I am doing is contacting them again.

~~~
zozbot234
Can you even "review" changes to spreadsheet code? I know that Office apps
have some support for change management, but is it even up to this task?

~~~
tyingq
There is actually pretty nice diff / compare two spreadsheets functionality
inside of Excel.

Screenshot: [https://support.content.office.net/en-
us/media/9149c7e8-6f0c...](https://support.content.office.net/en-
us/media/9149c7e8-6f0c-438d-9a49-75016a5fb629.jpg)

~~~
arethuza
Seems to be dependent on what edition of Excel you have - I had a look for it
and couldn't find it... (I'm using the up to date version from Office 365).

~~~
tyingq
Open the Quick Access drop down menu and select More Commands.

In the Excel Options dialog box, select All Commands under Choose commands
from.

In the list of commands, scroll down to Compare and Merge Workbooks, select it
and click the Add button to move it to the right-hand section.

------
leowoo91
How about the maintenance services who act lazy reporting client issues to the
main vendor? That's one of the undetected patterns I believe.

------
MertsA
>Tinley added code to the complex spreadsheets that "had no functional value,
other than to randomly crash the program,"

I could say the same about some of the... less talented developers I've worked
with in the past. Hanlon's razor might not apply in this case, but that's a
scary thought given how the US justice system seems so inept at handling cyber
crime.

------
ghostpepper
Off topic but is does anyone else feel that the phrase “logic bomb” is too
meaningless for the frequency with which it shows up in reporting these days?

It makes it sound more sophisticated than it is. What’s wrong with calling it
malware? Or even better, simply criminal behaviour that happens to involve a
computer.

~~~
jrockway
We really like PR in this field. We call making a copy of a file "piracy", as
in piracy on the high seas. We call adding a password to an Excel spreadsheet
a "bomb", as in a device designed for leveling entire cities and brutally
murdering everyone nearby. We call adding restrictions to books and films
"digital rights", kind of like the "bill of rights" that protects our
country's core values.

The prosecutors and industries that coined these terms are very clever. For
the petty crimes that they describe, they can turn the outrage up to eleven by
comparing the most minor transgression to murder. In the case of DRM, the
industry managed to convince people to buy new TVs, monitors, video cards, and
cables... to protect their rights? Their right to be turned upside down and
have the coins and bills shaken out of their pants, I guess.

~~~
elcomet
I think the word piracy was not invented by tech people, but by right holders
who wanted to make it look as bad as real piracy. It was an amazing strategy
for them.

~~~
im3w1l
As I remember it, the pirates called it piracy, and the right holders
preferred calling it theft (you wouldn't steal a car).

------
ggggtez
>$42k

Doesn't seem like he was a very good scam artist... That's not a lot of money
to risk jail over.

~~~
tc313
He probably didn't know that he was risking jail.

------
LegitGandalf
Dilbert covered this back in 95

[https://dilbert.com/strip/1995-11-13](https://dilbert.com/strip/1995-11-13)

------
BuildTheRobots
> The parties in the case stipulated a total loss amount of $42,262.50

That's an oddly specific loss amount, especially the 50c

~~~
isoskeles
What’s odd about it being specific? Take the number of billable hours he spent
“fixing” his logic bombs x hourly rate for those events.

~~~
dTal
The loss also extends to any lost business resulting from the broken code,
lost work, time on behalf of the people whose job it was to call him in, etc.
These are very difficult to quantify exactly, and so the number of significant
figures in the claimed amount looks odd. But the law doesn't allow you to say
"oh, about 50 grand", so I imagine significant figure rounding in financial
estimates isn't strongly emphasized anyway.

------
drderidder
All I can say is he must be a really good programmer if he needed to
deliberately install logic bombs to make his software malfunction after a
period of time. I've got my hands full just making things work properly in the
first place!

~~~
dmix
Yeah, really, this is the first programmer I've ever heard of who had lacked
bugs to be fixed. There's _always_ new stuff to work on.

Maybe he was only used for some older niche stuff that was going out of style
and he was trying to cling to the past.

------
pmiller2
Why does the title not contain "to ensure he gets new work"? The original
title was 2 characters too long for HN, but could have been edited to contain
that information. For example: "Contractor admits planting logic bombs in
software to ensure he’d get new work"

------
jonplackett
I wonder how they figured it out?

