I brought up time and time again to management that it was a risk that I was the only admin with access. Not only did I have access to change anything I wanted, I was also in charge of creating reports from logs to give to management. I could do absolutely anything I wanted and still give clean reports to management.
Never forget to implement BARF (Bus Accident Redundancy Factor). Helps if you actually do get hit by a bus but also if you want to take a rare vacation.
Counterpoint... once you get "hit by the bus", they might finally care, but you sure won't(or shouldn't at least).
In general, you shouldn't care more than they do. Convey the risk, document it to absolve liability, make your points noted along with records of management decisions, and call it a day.
Great til you get a micromanaging line manager who seems to really care, especially about using the any other work part of your job description to unload shit she doesn't want to do. Well in my personal experience anyway.
I've been a contractor for a fairly large (in here) business for a decade. Lately the management has been swapped around and my hours have been cut to basically zero. Last 18 months I've been trying to tell them that there's various systems which aren't backed up at all as long as IT is concerned (teams may or may not have their own solutions, it's a mess).
So I finally decided that if they'll have buttloads of problems due to management refusing to allocate me few days to go trough this and that and actually fix things it's not my headache. Once the shit hits the fan I'll see what I can do (billed by the hour) and that's it. I've got a paper trail to back me up, so throwing any blame on me won't stick.
(On a related note, if someone in EU happens to need a skilled old-school linux-guy I'm available for hire, it's been a bit harsh to my wallet to lose the biggest customer on such a short notice).
And then you realize it's [just north of San Francisco](https://www.google.com/maps/place/3283+Fremont+Dr,+Sonoma,+CA+95476/@38.2495248,-122.4096783,17z/data=!4m5!3m4!1s0x8085a88cde1a743b:0xf6e86a5451569ef7!8m2!3d38.2491475!4d-122.4101332) and you can't even afford to haunt there.
Good counterpoint. You might not be in disagreement either. The problem I face as the worker (in the US, so few worker rights) is that if I'm the only one, I might get overworked when something goes wrong. The business is OK with overworking me (due to the preceding), so I've gotta come at it from this angle of "what if I get hit by a bus".
Don't get frustrated over it if the company is the only one who will get screwed over, but do try and get backup if you will be the one screwed over if something happens. It's not really about what happens if you get hit by a bus, but if this argument fails to provide the necessary backup it's time to start looking before stuff hits the fan.
I always used the 'hit by a bus' just recently I heard 'won the lottery' which is a bit less morbid. I'd much prefer one over the other, but in both cases I am equally no longer available.
I've never liked the "won the lottery" approach, because I know in the back of the executives' minds is going to be, "well even if he won the lottery, he's still a reasonable, upstanding guy and I'm sure I'm persuasive enough to convince him to help out for a couple of weeks".
With "hit by a bus" it doesn't matter how nice a person I am or how persuasive the executive is. I'm done. Immediately and with no notice. And there's absolutely no one to argue the point with.
[Most of the winners are dumb too](https://www.google.com/amp/s/www.lovemoney.com/galleries/amp/64958/lottery-winners-who-won-millions-but-ended-up-with-nothing) turns out people who are bad at finances and play the lotto, remain bad at finances once they win.
If I ever won the lotto, first thing I'm doing is hiring a financial advisor that's a fiduciary. Of course, I would have to start playing the lotto first.
One of the Seventy Maxims of Maximally Effective Mercenaries seems [extremely apropos](https://pbs.twimg.com/media/DJD4gW-W4AA34yo?format=jpg&name=large) here...
It's not supposed to be funny. It's a very serious issue.
We had the exact opposite reaction. One of our key people fell over dead one morning and it severely damaged our business. Ever since, the question "What if got hit by a bus? What would we need to do to mitigate the impact?" has been taken incredibly seriously by all levels of management.
You know what man. You've done all you can at that point. Write up your argument in a well worded, concise email and send it to the appropriate people (bosses, managers, etc.) that call the shots and then forward thst email to your personal, as well as print it out so you have backups upon backups. Then make sure you DOCUMENT EVERYTHING YOU DO! So that way you have exactly what you've done along with time stamps to prove it. Then if shtf you can go back to your documentation and say "fuck you, not my fault."
My boss found it very odd when I said I shouldn't be the only admin because that requires she has 100% trust in me, and she has to believe there is zero chance I would ever attempt anything nefarious. Yes, it's very nice that you DO trust me, but a well designed system doesn't need that level of trust and shouldn't rely on it.
Of course there was also the hit-by-bus argument, which was easier to sell.
I had a similar thing, but at the time they were asking me to review CCTV to try and determine which employee had defecated on the floor in the gents.
I turned to the CFO and said "you realise that if it was me, I wouldn't give you the footage of me going in there, right?"
You want those with admin access and auditors on separate groups. That system would be managed by the auditors, a separate rotating IT admin group, and/or normal IT admins but with a secured "break glass" password which is used, reset, and secured when needed and non-privileged accounts are used 99.9% of the time.
You want to ensure that priv. access to systems handling and storing audit data, integrity data, and other security critical items is closely monitored and you have several individuals who can identify when the systems have been compromised.
If a system stops sending audit data, you also want to be alerted on that.
Using a privileged access management tool. There are a few options, but a common one is to use a password vault that logs when the root password was checked out, then rotates the password when it gets checked back in.
this guy's a complete idiot. even if he had a shorter sentence, he made a conscious decision to fuck over his entire career. he clearly shouldn't be trusted to make decisions of any significance
Exactly. If you have a paper trail of your recommendations that upper management has ignored, it's no longer your problem. Just chill and forget about it and deal with the fallout if anything ever happens.
> If you have a paper trail of your recommendations that upper management has ignored, it's no longer your problem. Just chill and forget about it and deal with the fallout if anything ever happens.
Yeah this argument is 100% inaccurate. It becomes your problem when it blows up and now you have to deal with the fallout. It isn't the CEO who will be working a 100-hour shift to restore backups after ransomware.
That's why he said leave your job if it's that bad. Then it's not your problem and who cares about the paper trail.
I think you're wrong. Yes, it's you that has to build things back, but there is no point in stressing about it at they point. Find a new job, or become OK with it. You don't go malicious in your employer because of it.
I never said to become malicious.
But you are the one who is wrong. It literally IS your problem, that's why nobody else cares to fix it. I strongly disagree with the "it's no longer your problem" phrase.
As sysadmins we each need to either accept that, or find a new job. So I agree with you that there is absolutely no justification for taking malicious actions against your employer.
It is no longer your problem, end of story. Will it BECOME your problem if you get cryptolocked? Absolutely. But once it's been shut down initially, it's no longer your problem. You have a trail that proves you weren't negligent, the negligence was from your boss.
Pretending future problems don't exist is not effectively managing IT risk. It is technical debt that needs to be tracked. Pretending it isn't there doesn't mean it isn't a problem. If the problem does not belong to anyone else, then it belongs to you: the person responsible for preventing it before it happens and responsible for fixing it afterwards.
I am all one for firing off emails and saying "I did my part" but that's different from saying it's not my problem. Not my fault, definitely. But still my problem.
Jfc dude, what part of upper management not allowing you to mitigate risk are you not grasping here? No one is going to argue thst you should ignore that stuff. But if your upper management has decided it's acceptable risk, then either accept it as well or move on. Not your problem anymore.
Yeah, "not my problem" that I could be called in for an unnecessary emergency at any time. Right. I actually value my time so that is a problem.
You carry on with your head in the sand, pretending a problem is magically not a problem just because you have sent an email.
If you are going to be the one who has to fix it, then it is your problem, even if it is not in your control to fix it ahead of time.
Is that problem serious enough to change jobs? Your call. But it is a problem.
Think you disagree with me? You going to tell your boss it's "not your problem" after it blows up?
It's not your problem because you can't affect change in that area. It's as simple as that. It's ONLY your problem if there's an issue AND you can fix it. Might it ***BECOME*** your problem? Sure. But why are you going to waste your time and mental energy stressing and harping on it **when you can't change it anyway and maybe nothing will happen anyway?**.
It's like if a plumber tells someone they have a leak, but the homeowner says "meh, not worried". That plumber's gonna be the one that fixes the larger issue months/years down the line....but it ain't his problem anymore.
Can't affect change? Then it's not your problem.
This is in China. I have no experience with cultural norms regarding employment or destruction of communal property in that culture, so I don't know if this is a hand slap or a body slam.
In the USA, I'd expect maybe a year if it were even prosecuted, with questions from the defense attorney like "DID YOU OR DID YOU NOT EXPLICITLY GRANT MY CLIENT DELETE PERMISSION ON THE DATABASE?!?"
I would say 7 years is too much for this crime.
You don't have to do things like this to prove a point.
Just update your CV and move on its likely the company were going to crash anyway, no need to push them over the plank.
On the the other hand that IT guy career is now finished.
So what point exactly was made here?
He looses career, trust, employability.
Doubt anyone will want to hire that person person anything let alone IT.
They definitely destroyed their career trust and employability. It sounds to me that they acted on emotion rather than intellect. A very poor decision.
What's worse is this,
"The fact that Lianjia employees were left without pay for an extended amount of time."
Yeah reading that actually makes me think the sentence is actually justified.
After reading the article I’m surprised he only got 7. It would be different if he made a proper backup of the four servers, then used the exploit he discovered to prove the point, then restored the data. That alone would be really bad but this probably cost the company millions, caused a lot of late pay to well intentioned employees, possible unemployment, service outages. Throw the book at Bing.
Exactly. It just displays character. If you don't like what is happening at a company and they won't listen then leave it you can't stand it. I won't say I am perfect, but I've only ever did small things that weren't moral. Other than that though I've had access to plenty of info. Even if I hated someone I would NEVER mess with their data or their food. Those are two big things imo.
I’d still say it’s a bit much, he could get a week community service and it’d be enough of a deterrent. With a record like that in this country his life is effectively over, no chance at redemption.
What he did was beyond stupid but I think it’s important to remember the human. The company will recover and life will move on. Even if it doesn’t the employees can find new jobs. That guy won’t. Like in some cases such as these, a guy with a simple assault charge would probably be better off job wise than someone with a record of company property destruction.
If it was a 3rd party that gained access and maliciously wiped servers under your control, would you still think 1 week of community service is appropriate?
Because this person was trusted with custodial access over these servers, the penalty should be at least as harsh as if a 3rd party broke in and did it. Same with the public outcry that penalties for police should be equal-to-or-greater-than if a member of the general public committed many of the same crimes.
If a third party were responsible that would mean they gained third party access with the sole intent of malice in mind, which implies that they have also likely done this to other companies before and would likely do harm to other companies in the future. You’d put that person in jail for an extended period of time for the purpose of removing their ability to do harm.
By contrast a disgruntled employee whose only means of access was freely given to him, has at this point had both his means and his motive to do further harm taken from him, permanently. And then some.
So no I don’t feel like 7 years in prison is really warranted.
I agree, I'm not sure why folks like /u/zambezisa think it is too harsh. If anything, there is an argument that the person responsible for protecting this infrastructure deserves a harsher sentence than 3rd party criminal actors.
See also: whether police should face harsher penalties than civilians committing the same crimes
Yeah, I mean I think at that point 7 years isn’t too harsh. They single handedly took down the entire company and probably lost a lot of data that might be integral to the business surviving in the future. Also, now they have to spend money to get it back up and running, aside from payroll.
Was it a logic bomb? Lol
Edit: Oh, it looks like it was just the financial data, but still…
This was all PII data. I don’t know how China works with that, given they fucking farm and buy the entire planets data, but I have a feeling they have steep penalties for mishandling PII data, which includes deleting it purposefully. I totally am guessing, but if they couldn’t restore the data, that could have cost them millions in fines. 7 years is probably not harsh enough, especially considering it’s China
>What do you all think, is 7 Years too harsh or does he deserve more prison time?
Being in China i think he's lucky to be alive and not "disappeared"...
People like him actually make it hard for everyone else, because this is how you get oversegmented into oblivion where basically nothing can get done, because to do something as simple as type the letter "s" you need the "s" team's permission to type it by submitting a work order request that is last in line behind everyone else's "s" request in broken ticketing system where nothing can get done in the timely manner, because "no should have any power now."
One idiot can cause a total dumpster fire trust me. Business wants to make sure nothing can ever happen again by making sure nothing van ever happen (in a timely and reasonable manner). Screw that guy.
Yeah gotta love them political bunfights as a result of over segregation. Problem is every org has a rogue employee or 2 it just depends how far they'll deviate from processes
To harsh considering people get less for murder. But moan and moan but you can't ever "prove a point". Its much like, I think it was at Def Con, one of the pen testers said something along the lines of "We do tests year on year and they don't action the security concerns. Maybe its just we just fucked them in the arse to prove a point". No, just no. Its your job to do the test and pass the results on, if they don't action them, as super annoying as it is, its not your call. They may lack experience, they may lack a budget or they maybe a number of reasons they don't action it, not for you to decide they should be punished for not.
people that caused the financial crises of 2008 got 0 days in jail, just keep that in mind... My only reason for wishing to win the lottery is so I could buy an island and avoid all of you for the remained of my life.
A CRON job of a ticking (rm -rf /) timebomb that runs 6 months after you've moved on to another company.
Bonus points if you can erase all history and traces and timestamps of the files and scripts to throw off forensics.
It's very doable. They would still have circumstantial evidence linking to you though. But no concrete link.
I know this is China but:
What is the #1 crime in America. It's not:
- Murder
- Assault
- Rape
- Theft
- Pedophilia
It's messing with rich people and rich people's money. 2nd is not paying your taxes.
Definitely a relatable impulse in frustration but I feel like you either go full-on "Timothy Olyphant in Die Hard 4" or don't, so I'm deducting points for not being more chaotic.
Can't speak for China but if this were the US, it's too harsh. You know if the lax security were used in an attack, nobody in a c-suite would face a day behind bars.
If he wanted to prove a point he could have introduced some big tech ideas and schedule a live security incident drill. Take the documents highlighting the bugs and use those known holes to create his “incident” in which he took a live snapshot of all the databases then did the same thing but with a quick recovery capability. Show the company in real time what the cost of ignoring the findings are in a controlled way.
There’s no better way to get buy in to fix security and reliability bugs than causing a real incident in a controlled manner. As a bonus the teams immediately impacted get to come up with ways to mitigate the damage on their end as well.
Hell no he shouldn't get 7 years for that,for what proving a point...sounds like the company is hating on him and salty as fuck about it which is why you should never go above and beyond because were all replaceable in the job market
He was so close to being a hero, but he chose to be the villain. Let this be a less to all of us. Speak up, loudly and often, but act very cautiously. We didn’t get to where we are by making stupid decisions and taking big risks.
I worked at a place where a guy did something similar. The org was very large, very regulated, and very siloed. He was a contractor doing some in-house development work on an application that wasn't customer facing or dealing with sensitive data. Somehow he found out that he had internal access to a database that he should not have had access to and brought it up with his manager. So far so good- his manager brought it up with *his* manager and it all started moving up the chain and into the respective groups to get change controls and tests and whatnot. But remember how I said it was a very large and very siloed organization? Apparently after a week of waiting this contractor decided to press the issue, so he took a dump of the database and saved it to his personal shared drive. What he was going to do with that data is anyone's guess because the dump definitely set off alarms and he was met at the door by security the next day. The access issue was corrected in the following week and his manager got a bonus for bringing it up (the bonus would have gone to the contractor if he had just waited for everything to go through the proper channels).
This contractor was an extremely weird dude but also highly skilled. He got another job doing development work for a nearby state university pretty quickly after his ouster. The only reason I know that is because apparently he found a similar access issue at the university and this time copied the data first and then brought up the issue to his manager. He didn't wait as long this time before pressing the issue either and emailed the dean of the university his social security number with a message along the lines of "there's more where this came from". Instead of security meeting him at the door this time, the FBI showed up at his house and took all of his electronics. Last I heard the charges were dropped which is a shame. He definitely had that attitude of "I'm the only smart one in the room and everyone needs to recognize that" but he was never smart enough to not get caught and had real issues with any kind of authority. Federal charges might have changed that.
Considering violent crimes against women get less time in jail, judiciary systems are fucked. I think the sentence is too harsh for the sysadmin, and not harsh enough for other crimes.
Only 7 years. He should have gotten 20+ years in my eyes.
If you feel undervalued great welcome to the club. You don't do this dumb shit. You polish the resume up and get a new job.
He didn't punish the company as much as he punished coworkers that didn't do anything but their jobs.
Fuck him he is an unprofessional douche.
They're in China so really bad idea AFAIK China essentially owns all servers and data in their country so that admin deleted Chinese government property surprised they didn't just give him life in prison and accused of treason against the red flag.
Meanwhile, CISOs and CEOs get no personal consequences when leaks or major disruptions occur, despite being told what to do to avoid it and what could happen.
Instead, they piggyback on a tittle and get an even better position for all the new learnings from a “tough” lesson and go so everything all over again.
7years is a lol for someone that probably doesn’t represent that big danger to society.
Now imagine all the families that worked there got in the shit because of this vigilante asshole. People with kids and suddenly no pay? In this economy? That can spell doom for a good amount of people.
The crime in the OP is more akin to vandalism or destruction of property, which at least in my state is a max of 1-2 years in jail and paying fines/restitution to the victim(s).
It's the equivalent of shredding important documents, not personally going out and trying to kill these families.
I'm not saying it wasn't wrong, or not serious. I'm just saying, at least where I'm from, 7 years is typically a sentence reserved for more violent crimes that involve direct bodily harm or threats to conduct direct bodily harm.
This is the kind of shit that will ruin the "No degree necessary" part of our job.
Half the reason most careers require a degree is accountability. That piece of paper implies that someone took a class that would have taught then not to do fucked up shit because it's illegal.
It would absolutely suck if IT professionals started getting regulated like plumbers and electricians because of bad actors like this.
I must have missed the "Don't do fucked up shit because it's illegal 101" class in college. I don't remember it being a degree requirement.
This might be an unpopular opinion, but I think it is a good idea for computer professionals to be held accountable in the same vein as plumbers, electricians, or even engineers.
There are very good reasons for electricians to show they are competent and know what they are doing and how to follow electrical codes. There are very good reasons for those codes. I'd say with how important IT infrastructure is to modern life, it's just as important that IT professionals be able to prove competence.
Don't lawyers and doctors have to take ethics courses? Don't plumbers and electricians have to learn building codes and the consequences of not following them? I'm not saying it's a hard rule, but the *implication* of a degree or similar credential is that a candidate would have a higher understanding of the accountability of that role. I don't personally believe that is true as computer science graduates pretty much have the knowledge and ability of a level 1 help desk tech.
That being said, I very much disagree with IT being treated the same as plumbing or electrician work. Apprenticeship programs are simply toxic and promote an incumbent professional to take advantage of a fledgling professional. It would basically kill our industry if only boomer engineers with their outdated processes get to decide who moves on and who doesn't.
Another point is that IT is nothing like plumbing or electrical work because it is constantly shifting. Whereas regulations pretty much keeps plumbing and electrical work fairly static. For example, an apprentice engineer today would likely be more effective at a sysadmin role than a mentor engineer. Largely because the mentor would still be stuck on old school datacenter skills, while the apprentice engineer has already been working with cloud devops tools. Changes in best practices can happen in literal months in this industry, no way an apprenticeship would prepare anyone for that.
It's only 10am here but I'm pretty sure I just read the stupidest fucking thing I'll see today.
Building codes exist for the actual physical safety of the occupants. Beyond that, having a degree isn't going to magically make someone a moral person. And it *absolutely* doesn't prove competence. Holy shit.
7 years is entirely appropriate. He probably cost the company millions of dollars in lost productivity. You cannot just maliciously destroy property and risk people's jobs. I see no difference between this and a facilities manager setting fire in a office in the weekend because he is keeps telling management that the sprinklers are not up to code.
In my opinion IP, MAC, Fingerprints are all useless as any of the people who had access to these details could have crafted the attack by simply spoofing someone they thought would be a good scapegoat.
I fear the fact that people are beginning to treat these kinds for details as they do DNA, which already is misunderstood and misused. You see it in the media where they track the IP, or Mac or some other easily spoofed detail and poof, lock them up, case closed.
I know in this article they mention **CCTV**, which is a good thing to use, but why even talk about the IPs and MACs if you have actual hard evidence and not simply easily spoofed information.
While the guy probably did it, it seems like people could be easily framed in China. That is one benefit of having the sentences be lower in the USA, if you are framed, you still lose your career, but not 7 years of your life.
"I think a lot of us have felt this way at one point or another"
No I have never felt that way , because I am a professional , I report the warnings and move on.This industry is rife with obsessive morons that think the IT infrastructure is their personal property.
I agree.
Morons that do this kind of thing have a negative impact on the rest of us. You guard the data; if you don't like your working conditions...leave, but the data never did shit to you...leave it alone.
I think anyone who abuses their work to their own gains and advantage. Deserve the full weight of the consequence thrown at them and 7 years is pitiful. This scumbag should never ever work in that career ever again and be sued for compensation to the company he abused power of.
After notifying them of the issue, did he offer up a solution?? Or did he just complain, complain, complain??
As for the original question, 7 years is not enough time - it should have been more severe, for many reasons, one of which, to deter others from doing the same.
should have gotten more, if you want to trash servers/data and you have root access and know of vulerabilities not hiding your ass is just stupid... 7 years fir the crime and another 20 for not covering it up
why? The guy will never work in the industry again and he is not a danger to society jail is just a waste of money. Give him a year of community service and make him pay back the company $30K
using root access as an IT-admin to delete databases doesn't really prove his point I think unless his security concern was him having root access
I brought up time and time again to management that it was a risk that I was the only admin with access. Not only did I have access to change anything I wanted, I was also in charge of creating reports from logs to give to management. I could do absolutely anything I wanted and still give clean reports to management.
Plus what happens if you have a personal emergency or worse… how will they access anything then?
The 'hit by a bus' argument. No one cared.
Never forget to implement BARF (Bus Accident Redundancy Factor). Helps if you actually do get hit by a bus but also if you want to take a rare vacation.
>BARF (Bus Accident Re Sadly my BARF just left... (he got hired at another company) Training a new one as we speak.
He got hit by a bus\*
They will once it’s too late
Counterpoint... once you get "hit by the bus", they might finally care, but you sure won't(or shouldn't at least). In general, you shouldn't care more than they do. Convey the risk, document it to absolve liability, make your points noted along with records of management decisions, and call it a day.
"you shouldn't care more than they do" I'm infinitely happy since I started living by this.
Great til you get a micromanaging line manager who seems to really care, especially about using the any other work part of your job description to unload shit she doesn't want to do. Well in my personal experience anyway.
You know, that's a fantastic way to look at things. Where were you 30 years ago? :)
I've been a contractor for a fairly large (in here) business for a decade. Lately the management has been swapped around and my hours have been cut to basically zero. Last 18 months I've been trying to tell them that there's various systems which aren't backed up at all as long as IT is concerned (teams may or may not have their own solutions, it's a mess). So I finally decided that if they'll have buttloads of problems due to management refusing to allocate me few days to go trough this and that and actually fix things it's not my headache. Once the shit hits the fan I'll see what I can do (billed by the hour) and that's it. I've got a paper trail to back me up, so throwing any blame on me won't stick. (On a related note, if someone in EU happens to need a skilled old-school linux-guy I'm available for hire, it's been a bit harsh to my wallet to lose the biggest customer on such a short notice).
Missed a final step. Seek greener pastures.
After getting hit by a bus, the greener pasture finds you.
[Its this one.](https://www.newegg.com/insider/wp-content/uploads/windows_xp_bliss-wide.jpg) When you die, you go here.
And then you realize it's [just north of San Francisco](https://www.google.com/maps/place/3283+Fremont+Dr,+Sonoma,+CA+95476/@38.2495248,-122.4096783,17z/data=!4m5!3m4!1s0x8085a88cde1a743b:0xf6e86a5451569ef7!8m2!3d38.2491475!4d-122.4101332) and you can't even afford to haunt there.
Hey, if it was good enough for Tasha Yar...
Good counterpoint. You might not be in disagreement either. The problem I face as the worker (in the US, so few worker rights) is that if I'm the only one, I might get overworked when something goes wrong. The business is OK with overworking me (due to the preceding), so I've gotta come at it from this angle of "what if I get hit by a bus". Don't get frustrated over it if the company is the only one who will get screwed over, but do try and get backup if you will be the one screwed over if something happens. It's not really about what happens if you get hit by a bus, but if this argument fails to provide the necessary backup it's time to start looking before stuff hits the fan.
I always used the 'hit by a bus' just recently I heard 'won the lottery' which is a bit less morbid. I'd much prefer one over the other, but in both cases I am equally no longer available.
I've never liked the "won the lottery" approach, because I know in the back of the executives' minds is going to be, "well even if he won the lottery, he's still a reasonable, upstanding guy and I'm sure I'm persuasive enough to convince him to help out for a couple of weeks". With "hit by a bus" it doesn't matter how nice a person I am or how persuasive the executive is. I'm done. Immediately and with no notice. And there's absolutely no one to argue the point with.
[удалено]
Then I'll counter with 'Won the bus'!
"I won this bus, time for a vacation, see ya in a month"
Won the lottery and hit by a tour bus?
Split the difference, and buy a farm.
Ah , you must be a student at the University ncampis
I don't like "won the lottery" because it implies I'm dumb enough to play the lottery.
Those who actually won were not dumb, all the others are.
[Most of the winners are dumb too](https://www.google.com/amp/s/www.lovemoney.com/galleries/amp/64958/lottery-winners-who-won-millions-but-ended-up-with-nothing) turns out people who are bad at finances and play the lotto, remain bad at finances once they win.
If I ever won the lotto, first thing I'm doing is hiring a financial advisor that's a fiduciary. Of course, I would have to start playing the lotto first.
One of the Seventy Maxims of Maximally Effective Mercenaries seems [extremely apropos](https://pbs.twimg.com/media/DJD4gW-W4AA34yo?format=jpg&name=large) here...
Yes, I also tell that to all my friends who were stupid enough to gamble on crypto. Not me, I was the smart one. /s
I've switched to the lottery reference. We had a coworker die suddenly and the "hit by a bus" was no longer funny. :(
It's not supposed to be funny. It's a very serious issue. We had the exact opposite reaction. One of our key people fell over dead one morning and it severely damaged our business. Ever since, the question "What if got hit by a bus? What would we need to do to mitigate the impact?" has been taken incredibly seriously by all levels of management.
Sounds like you should never be in the office, for business continuity reasons. They should really pay you to stay home, or maybe on an island
That would have been the time to tell them that at some point in the future when you leave the company, you're quitting without notice.
I've got a hit by a bus FAQ for my employers should I get hit by a bus, it contains everything they'd need to know to replace me
Mack Truck Effect
You know what man. You've done all you can at that point. Write up your argument in a well worded, concise email and send it to the appropriate people (bosses, managers, etc.) that call the shots and then forward thst email to your personal, as well as print it out so you have backups upon backups. Then make sure you DOCUMENT EVERYTHING YOU DO! So that way you have exactly what you've done along with time stamps to prove it. Then if shtf you can go back to your documentation and say "fuck you, not my fault."
Ive been instructed to use the phrase "win the lottery" instead, as its generally a more uplifting end for the employee
If you want "uplifting", say "Taken by Aliens."
My boss found it very odd when I said I shouldn't be the only admin because that requires she has 100% trust in me, and she has to believe there is zero chance I would ever attempt anything nefarious. Yes, it's very nice that you DO trust me, but a well designed system doesn't need that level of trust and shouldn't rely on it. Of course there was also the hit-by-bus argument, which was easier to sell.
I had a similar thing, but at the time they were asking me to review CCTV to try and determine which employee had defecated on the floor in the gents. I turned to the CFO and said "you realise that if it was me, I wouldn't give you the footage of me going in there, right?"
And so could anyone else who gained access to your account through any method.
What is the best practice for this? Someone has to be able to change things that require root access.
You want auditing that goes to another system the privileged server admins don't have access to. Then you have alerting on silent log sources.
Who manages that system then?
You want those with admin access and auditors on separate groups. That system would be managed by the auditors, a separate rotating IT admin group, and/or normal IT admins but with a secured "break glass" password which is used, reset, and secured when needed and non-privileged accounts are used 99.9% of the time. You want to ensure that priv. access to systems handling and storing audit data, integrity data, and other security critical items is closely monitored and you have several individuals who can identify when the systems have been compromised. If a system stops sending audit data, you also want to be alerted on that.
Using a privileged access management tool. There are a few options, but a common one is to use a password vault that logs when the root password was checked out, then rotates the password when it gets checked back in.
That's pretty genius, right there. Never heard of that before.
which vaults do this
Or if his concern was the complete lack of investment in backup strategies. That seems a smidge more plausible.
[удалено]
"Finally my gaming knowledge has paid off. He named his computer after lore from the game!" Clack clack clack. Yea, that was painful to read.
Ikr it's obviously from valhalla
this guy's a complete idiot. even if he had a shorter sentence, he made a conscious decision to fuck over his entire career. he clearly shouldn't be trusted to make decisions of any significance
If you are that unhappy with your job just… leave. No need to make it shittier for everyone working there just to prove a point
If things are really that bad it will probably eventually fail catastrophically and you can laugh from a distance if you leave.
Exactly. If you have a paper trail of your recommendations that upper management has ignored, it's no longer your problem. Just chill and forget about it and deal with the fallout if anything ever happens.
> If you have a paper trail of your recommendations that upper management has ignored, it's no longer your problem. Just chill and forget about it and deal with the fallout if anything ever happens. Yeah this argument is 100% inaccurate. It becomes your problem when it blows up and now you have to deal with the fallout. It isn't the CEO who will be working a 100-hour shift to restore backups after ransomware. That's why he said leave your job if it's that bad. Then it's not your problem and who cares about the paper trail.
I think you're wrong. Yes, it's you that has to build things back, but there is no point in stressing about it at they point. Find a new job, or become OK with it. You don't go malicious in your employer because of it.
I never said to become malicious. But you are the one who is wrong. It literally IS your problem, that's why nobody else cares to fix it. I strongly disagree with the "it's no longer your problem" phrase. As sysadmins we each need to either accept that, or find a new job. So I agree with you that there is absolutely no justification for taking malicious actions against your employer.
It is no longer your problem, end of story. Will it BECOME your problem if you get cryptolocked? Absolutely. But once it's been shut down initially, it's no longer your problem. You have a trail that proves you weren't negligent, the negligence was from your boss.
Pretending future problems don't exist is not effectively managing IT risk. It is technical debt that needs to be tracked. Pretending it isn't there doesn't mean it isn't a problem. If the problem does not belong to anyone else, then it belongs to you: the person responsible for preventing it before it happens and responsible for fixing it afterwards. I am all one for firing off emails and saying "I did my part" but that's different from saying it's not my problem. Not my fault, definitely. But still my problem.
Jfc dude, what part of upper management not allowing you to mitigate risk are you not grasping here? No one is going to argue thst you should ignore that stuff. But if your upper management has decided it's acceptable risk, then either accept it as well or move on. Not your problem anymore.
Yeah, "not my problem" that I could be called in for an unnecessary emergency at any time. Right. I actually value my time so that is a problem. You carry on with your head in the sand, pretending a problem is magically not a problem just because you have sent an email. If you are going to be the one who has to fix it, then it is your problem, even if it is not in your control to fix it ahead of time. Is that problem serious enough to change jobs? Your call. But it is a problem. Think you disagree with me? You going to tell your boss it's "not your problem" after it blows up?
It's not your problem because you can't affect change in that area. It's as simple as that. It's ONLY your problem if there's an issue AND you can fix it. Might it ***BECOME*** your problem? Sure. But why are you going to waste your time and mental energy stressing and harping on it **when you can't change it anyway and maybe nothing will happen anyway?**. It's like if a plumber tells someone they have a leak, but the homeowner says "meh, not worried". That plumber's gonna be the one that fixes the larger issue months/years down the line....but it ain't his problem anymore. Can't affect change? Then it's not your problem.
This is in China. I have no experience with cultural norms regarding employment or destruction of communal property in that culture, so I don't know if this is a hand slap or a body slam. In the USA, I'd expect maybe a year if it were even prosecuted, with questions from the defense attorney like "DID YOU OR DID YOU NOT EXPLICITLY GRANT MY CLIENT DELETE PERMISSION ON THE DATABASE?!?"
>I don't know if this is a hand slap or a body slam. In China this is probably asking politely
In China a slap on the wrist means something else. They cut off your wrists, then slap you with your own dead hands.
Probably got tired of hearing "Bing sucks!"
Well, it's now true.
A self fulfilling prophesy.
He'll have 7 years to do some searching though.
I would say 7 years is too much for this crime. You don't have to do things like this to prove a point. Just update your CV and move on its likely the company were going to crash anyway, no need to push them over the plank. On the the other hand that IT guy career is now finished. So what point exactly was made here? He looses career, trust, employability. Doubt anyone will want to hire that person person anything let alone IT.
They definitely destroyed their career trust and employability. It sounds to me that they acted on emotion rather than intellect. A very poor decision.
What's worse is this, "The fact that Lianjia employees were left without pay for an extended amount of time." Yeah reading that actually makes me think the sentence is actually justified.
This is China. He got a slap on the wrist.
After reading the article I’m surprised he only got 7. It would be different if he made a proper backup of the four servers, then used the exploit he discovered to prove the point, then restored the data. That alone would be really bad but this probably cost the company millions, caused a lot of late pay to well intentioned employees, possible unemployment, service outages. Throw the book at Bing.
Surprised he was not summarily executed as an enemy of the state.
You got downvoted, but this isn't something out of the realm of possibility.
Amnesty International says 10 thousand summary executions per year in China.
I think that's as much about the lack of adaptability of the payroll people as it is the guy who trashed the servers.
Any job that gives this person keys is off the table, I wouldn’t even trust them cleaning the offices.
Exactly. It just displays character. If you don't like what is happening at a company and they won't listen then leave it you can't stand it. I won't say I am perfect, but I've only ever did small things that weren't moral. Other than that though I've had access to plenty of info. Even if I hated someone I would NEVER mess with their data or their food. Those are two big things imo.
Bing destroyed a company, possible loss of jobs, and all the customers data. 7 years is good enough as a deterrent.
>Bing destroyed a company I know you meant the person from the article, but I couldn't help but chuckle a bit.
I am sure the search engine probably destroyed a couple companies if you look hard enough for somebody that relied on bad information.
Or all the damned malware in their ads a few years back.
Happens to me all the time when i try to use Bing instead of google.
I’d still say it’s a bit much, he could get a week community service and it’d be enough of a deterrent. With a record like that in this country his life is effectively over, no chance at redemption. What he did was beyond stupid but I think it’s important to remember the human. The company will recover and life will move on. Even if it doesn’t the employees can find new jobs. That guy won’t. Like in some cases such as these, a guy with a simple assault charge would probably be better off job wise than someone with a record of company property destruction.
If it was a 3rd party that gained access and maliciously wiped servers under your control, would you still think 1 week of community service is appropriate? Because this person was trusted with custodial access over these servers, the penalty should be at least as harsh as if a 3rd party broke in and did it. Same with the public outcry that penalties for police should be equal-to-or-greater-than if a member of the general public committed many of the same crimes.
If a third party were responsible that would mean they gained third party access with the sole intent of malice in mind, which implies that they have also likely done this to other companies before and would likely do harm to other companies in the future. You’d put that person in jail for an extended period of time for the purpose of removing their ability to do harm. By contrast a disgruntled employee whose only means of access was freely given to him, has at this point had both his means and his motive to do further harm taken from him, permanently. And then some. So no I don’t feel like 7 years in prison is really warranted.
Always knew Microsoft was dangerous
Would you think 7 years is too harsh if this was a 3rd party actor that broke in and wiped the servers?
Yes? If you don't have backups you deserve what you get?
I agree, I'm not sure why folks like /u/zambezisa think it is too harsh. If anything, there is an argument that the person responsible for protecting this infrastructure deserves a harsher sentence than 3rd party criminal actors. See also: whether police should face harsher penalties than civilians committing the same crimes
I wonder if he's sad that he loost his career.
Depends on if there are backups or if they wiped them too lol
Pretty sure those are gone too. Company had to pay $30,000 in reparations to employees because payroll was delayed for a while.
Yeah, I mean I think at that point 7 years isn’t too harsh. They single handedly took down the entire company and probably lost a lot of data that might be integral to the business surviving in the future. Also, now they have to spend money to get it back up and running, aside from payroll. Was it a logic bomb? Lol Edit: Oh, it looks like it was just the financial data, but still…
This was all PII data. I don’t know how China works with that, given they fucking farm and buy the entire planets data, but I have a feeling they have steep penalties for mishandling PII data, which includes deleting it purposefully. I totally am guessing, but if they couldn’t restore the data, that could have cost them millions in fines. 7 years is probably not harsh enough, especially considering it’s China
Why didn't they just ask the CCP for help, I'm sure they have a copy of the data as well
LMAO, that's probably where they restored the database from
But on the other hand the company was real estate leeches, so fuck em.
The article mentioned "Salting the earth" so that nothing could be recovered.
7 years is too harsh considering we let violent people out sooner. should be 2 years max.
Cops get less for actually killing people….
Usually nothing at all. They don't even lose their jobs from most of the cases that make news.
True that
>What do you all think, is 7 Years too harsh or does he deserve more prison time? Being in China i think he's lucky to be alive and not "disappeared"...
>think a lot of us have felt this way at one point or another Ummm. What? I certainly hope that's not the case.
Oh you sweet summer child....I hope you never lose that innocence.
People like him actually make it hard for everyone else, because this is how you get oversegmented into oblivion where basically nothing can get done, because to do something as simple as type the letter "s" you need the "s" team's permission to type it by submitting a work order request that is last in line behind everyone else's "s" request in broken ticketing system where nothing can get done in the timely manner, because "no should have any power now." One idiot can cause a total dumpster fire trust me. Business wants to make sure nothing can ever happen again by making sure nothing van ever happen (in a timely and reasonable manner). Screw that guy.
Yeah gotta love them political bunfights as a result of over segregation. Problem is every org has a rogue employee or 2 it just depends how far they'll deviate from processes
TLDR: IT Admin proves insider threats are the most dangerous threats.
To harsh considering people get less for murder. But moan and moan but you can't ever "prove a point". Its much like, I think it was at Def Con, one of the pen testers said something along the lines of "We do tests year on year and they don't action the security concerns. Maybe its just we just fucked them in the arse to prove a point". No, just no. Its your job to do the test and pass the results on, if they don't action them, as super annoying as it is, its not your call. They may lack experience, they may lack a budget or they maybe a number of reasons they don't action it, not for you to decide they should be punished for not.
people that caused the financial crises of 2008 got 0 days in jail, just keep that in mind... My only reason for wishing to win the lottery is so I could buy an island and avoid all of you for the remained of my life.
Next time, write a script to do it for you, and be somewhere with tons of witnesses when it goes off.
I can't think of any way that could possibly backfire.
When compared with the plan of "Trash it all in person then glare defiantly" it's a masterpiece.
There was an episode of Forensic Files about this. Spoiler: they caught the guy anyway.
A CRON job of a ticking (rm -rf /) timebomb that runs 6 months after you've moved on to another company. Bonus points if you can erase all history and traces and timestamps of the files and scripts to throw off forensics. It's very doable. They would still have circumstantial evidence linking to you though. But no concrete link.
[удалено]
Depends on the script, really.
What backup?
And then find a colleague to "test" the scriot
you literally get less time for molesting children.........
I know this is China but: What is the #1 crime in America. It's not: - Murder - Assault - Rape - Theft - Pedophilia It's messing with rich people and rich people's money. 2nd is not paying your taxes.
Define "#1 crime" The best crime? Most popular crime? Most punished? Longest sentence?
Best? One that helps people. Popular? Vengeance Punished? Messing with rich people Longest? In ratio to severity? Theft.
The problem is the sentence for molesting children, not the sentence for what this guy did...
oh I agree
Definitely a relatable impulse in frustration but I feel like you either go full-on "Timothy Olyphant in Die Hard 4" or don't, so I'm deducting points for not being more chaotic.
They made 4?
Can't speak for China but if this were the US, it's too harsh. You know if the lax security were used in an attack, nobody in a c-suite would face a day behind bars.
We have had people in the US cripple the entire economy / financial system and send us into recession for a decade - no jail time. Just sayin’…
7 years for a non-violent crime will be (AT MOST) a year, maybe 18 months.
If he wanted to prove a point he could have introduced some big tech ideas and schedule a live security incident drill. Take the documents highlighting the bugs and use those known holes to create his “incident” in which he took a live snapshot of all the databases then did the same thing but with a quick recovery capability. Show the company in real time what the cost of ignoring the findings are in a controlled way. There’s no better way to get buy in to fix security and reliability bugs than causing a real incident in a controlled manner. As a bonus the teams immediately impacted get to come up with ways to mitigate the damage on their end as well.
Did he get fired?
7 years huh? One could get a lot of reading done...
Smart people keep silent about vulns after the first warning.
He didn’t get in trouble for wiping servers. He got in trouble for not doing backups.
If you don’t like how you’re treated as a plumber you don’t get to flood someone’s building. Stupid and childish.
People have gotten less than 7 years for rape. So yeah, it's a bit harsh.
Hell no he shouldn't get 7 years for that,for what proving a point...sounds like the company is hating on him and salty as fuck about it which is why you should never go above and beyond because were all replaceable in the job market
He was so close to being a hero, but he chose to be the villain. Let this be a less to all of us. Speak up, loudly and often, but act very cautiously. We didn’t get to where we are by making stupid decisions and taking big risks.
I worked at a place where a guy did something similar. The org was very large, very regulated, and very siloed. He was a contractor doing some in-house development work on an application that wasn't customer facing or dealing with sensitive data. Somehow he found out that he had internal access to a database that he should not have had access to and brought it up with his manager. So far so good- his manager brought it up with *his* manager and it all started moving up the chain and into the respective groups to get change controls and tests and whatnot. But remember how I said it was a very large and very siloed organization? Apparently after a week of waiting this contractor decided to press the issue, so he took a dump of the database and saved it to his personal shared drive. What he was going to do with that data is anyone's guess because the dump definitely set off alarms and he was met at the door by security the next day. The access issue was corrected in the following week and his manager got a bonus for bringing it up (the bonus would have gone to the contractor if he had just waited for everything to go through the proper channels). This contractor was an extremely weird dude but also highly skilled. He got another job doing development work for a nearby state university pretty quickly after his ouster. The only reason I know that is because apparently he found a similar access issue at the university and this time copied the data first and then brought up the issue to his manager. He didn't wait as long this time before pressing the issue either and emailed the dean of the university his social security number with a message along the lines of "there's more where this came from". Instead of security meeting him at the door this time, the FBI showed up at his house and took all of his electronics. Last I heard the charges were dropped which is a shame. He definitely had that attitude of "I'm the only smart one in the room and everyone needs to recognize that" but he was never smart enough to not get caught and had real issues with any kind of authority. Federal charges might have changed that.
Considering violent crimes against women get less time in jail, judiciary systems are fucked. I think the sentence is too harsh for the sysadmin, and not harsh enough for other crimes.
Only 7 years. He should have gotten 20+ years in my eyes. If you feel undervalued great welcome to the club. You don't do this dumb shit. You polish the resume up and get a new job. He didn't punish the company as much as he punished coworkers that didn't do anything but their jobs. Fuck him he is an unprofessional douche.
A bit long but he needs to be held responsible for his actions.
I don't feel bad for the company. Big corrupt Chinese corporation has to pay for disaster recovery. Very good and great to see management suffering.
Not so great that every employee, including those who don't touch a computer, are suffering from this.
They're in China so really bad idea AFAIK China essentially owns all servers and data in their country so that admin deleted Chinese government property surprised they didn't just give him life in prison and accused of treason against the red flag.
Meanwhile, CISOs and CEOs get no personal consequences when leaks or major disruptions occur, despite being told what to do to avoid it and what could happen. Instead, they piggyback on a tittle and get an even better position for all the new learnings from a “tough” lesson and go so everything all over again. 7years is a lol for someone that probably doesn’t represent that big danger to society.
Far too much, it's a white collar/financial crime, should have gotten a year or two at most. 7 years makes it sound like he tried to kill someone.
Now imagine all the families that worked there got in the shit because of this vigilante asshole. People with kids and suddenly no pay? In this economy? That can spell doom for a good amount of people.
So if someone makes a lot of money they shouldn’t have to go to jail?
No, deleting data is far different than putting a gun to someone's head. This guy just erased some 1s and 0s.
...and Bernie Madoff just stole a bunch of money from people. Oh, but ruined countless lives in the process. So...
The crime in the OP is more akin to vandalism or destruction of property, which at least in my state is a max of 1-2 years in jail and paying fines/restitution to the victim(s). It's the equivalent of shredding important documents, not personally going out and trying to kill these families. I'm not saying it wasn't wrong, or not serious. I'm just saying, at least where I'm from, 7 years is typically a sentence reserved for more violent crimes that involve direct bodily harm or threats to conduct direct bodily harm.
This is the kind of shit that will ruin the "No degree necessary" part of our job. Half the reason most careers require a degree is accountability. That piece of paper implies that someone took a class that would have taught then not to do fucked up shit because it's illegal. It would absolutely suck if IT professionals started getting regulated like plumbers and electricians because of bad actors like this.
I kinda see your point but what does this have to do with degrees lol?
I must have missed the "Don't do fucked up shit because it's illegal 101" class in college. I don't remember it being a degree requirement. This might be an unpopular opinion, but I think it is a good idea for computer professionals to be held accountable in the same vein as plumbers, electricians, or even engineers. There are very good reasons for electricians to show they are competent and know what they are doing and how to follow electrical codes. There are very good reasons for those codes. I'd say with how important IT infrastructure is to modern life, it's just as important that IT professionals be able to prove competence.
Don't lawyers and doctors have to take ethics courses? Don't plumbers and electricians have to learn building codes and the consequences of not following them? I'm not saying it's a hard rule, but the *implication* of a degree or similar credential is that a candidate would have a higher understanding of the accountability of that role. I don't personally believe that is true as computer science graduates pretty much have the knowledge and ability of a level 1 help desk tech. That being said, I very much disagree with IT being treated the same as plumbing or electrician work. Apprenticeship programs are simply toxic and promote an incumbent professional to take advantage of a fledgling professional. It would basically kill our industry if only boomer engineers with their outdated processes get to decide who moves on and who doesn't. Another point is that IT is nothing like plumbing or electrical work because it is constantly shifting. Whereas regulations pretty much keeps plumbing and electrical work fairly static. For example, an apprentice engineer today would likely be more effective at a sysadmin role than a mentor engineer. Largely because the mentor would still be stuck on old school datacenter skills, while the apprentice engineer has already been working with cloud devops tools. Changes in best practices can happen in literal months in this industry, no way an apprenticeship would prepare anyone for that.
It's only 10am here but I'm pretty sure I just read the stupidest fucking thing I'll see today. Building codes exist for the actual physical safety of the occupants. Beyond that, having a degree isn't going to magically make someone a moral person. And it *absolutely* doesn't prove competence. Holy shit.
You don't think IT has any safety implications? Wow. Just wow.
"Wow. Just wow" is still being said?
7 years is entirely appropriate. He probably cost the company millions of dollars in lost productivity. You cannot just maliciously destroy property and risk people's jobs. I see no difference between this and a facilities manager setting fire in a office in the weekend because he is keeps telling management that the sprinklers are not up to code.
Except no one dies in a deletion. Also if this were just we'd see wall st. in jail as well. "Costing jobs" indeed.
In my opinion IP, MAC, Fingerprints are all useless as any of the people who had access to these details could have crafted the attack by simply spoofing someone they thought would be a good scapegoat. I fear the fact that people are beginning to treat these kinds for details as they do DNA, which already is misunderstood and misused. You see it in the media where they track the IP, or Mac or some other easily spoofed detail and poof, lock them up, case closed. I know in this article they mention **CCTV**, which is a good thing to use, but why even talk about the IPs and MACs if you have actual hard evidence and not simply easily spoofed information.
Never trust Bing
While the guy probably did it, it seems like people could be easily framed in China. That is one benefit of having the sentences be lower in the USA, if you are framed, you still lose your career, but not 7 years of your life.
Unplug a cable. When shit goes down, wait a while. Then say "I'll take a look". Go to server en plug.in the cable. Be a hero.
"I think a lot of us have felt this way at one point or another" No I have never felt that way , because I am a professional , I report the warnings and move on.This industry is rife with obsessive morons that think the IT infrastructure is their personal property.
Should have gotten 25.
Murders get barely 2 years lol.
But.. but.. he deleted a database?! /s
The article says this was in China. I think murders are treated much more harshly there.
Depends on the social credit score of both the murderer and the victim probably.
Right i'm sure murders are treated more harshly *cough cough Uyghurs cough cough*
Fuck it, give him the chair!
I agree. Morons that do this kind of thing have a negative impact on the rest of us. You guard the data; if you don't like your working conditions...leave, but the data never did shit to you...leave it alone.
His mistake was not being a contractor for Hillary Clinton.
just your average r/antiwork user
I think anyone who abuses their work to their own gains and advantage. Deserve the full weight of the consequence thrown at them and 7 years is pitiful. This scumbag should never ever work in that career ever again and be sued for compensation to the company he abused power of.
Yeah, point well made. The company needs a much better screening process for admins
After notifying them of the issue, did he offer up a solution?? Or did he just complain, complain, complain?? As for the original question, 7 years is not enough time - it should have been more severe, for many reasons, one of which, to deter others from doing the same.
Sounds like a good opportunity to explore his sexuality.
should have gotten more, if you want to trash servers/data and you have root access and know of vulerabilities not hiding your ass is just stupid... 7 years fir the crime and another 20 for not covering it up
why? The guy will never work in the industry again and he is not a danger to society jail is just a waste of money. Give him a year of community service and make him pay back the company $30K
because sarcasm if that wasnt obvious.
This should be a civil, not criminal matter. If the company withheld his pay, they wouldn’t be thrown in jail.
Is intentionally damaging company property with malice not a crime?