Also, while it will probably always be easy to accomplish inside-man attacks, it will also be generally harder to get away with them than you might think. (Especially if real money is involved!)
Actually what would happen is taxpayers would have to pay more to recover the data and go through the physical copies.
So in reality we would be in more debt. Life isn't Fight club. (Movie not book)
Nope. There are plenty of backup records for all of the debts. Physical records of deeds, contracts, etc. And it's possible much of the data could have been restored through backups and data retrieval methods. What this would have caused would be delays and difficulties in handling existing mortgages but the biggest impact would have likely been an inability of people to apply for new mortgages using fanny mae, which is hardly a win for anybody.
The way the US economic/legal system works is that banks can just not pay their debts and the banks' owners don't get hurt.
If debts owed by banks aren't legally enforceable, debts owed to banks shouldn't be either. To put it another way, limited liability, if it exists, should go both ways.
41 months seems exceptionally high given that it was discovered before execution. It would take me an hour to dig it all up, but there are federal sentencing guidelines based on the dollar amount of damages. I don't think they take potential damages into account.
Funny, I came here looking for the exact opposite post to upvote. Seems exceptionally low to me, given the obvious malicious intent and potential damages. But I'm mostly ignorant about the relevant law.
I assume you mean relative to other sentences/crimes you're aware of? It may be low compared to those, but in general, American sentences seem exceptionally high to me, and this is a good example.
I don't think a stronger sentence would have deterred him. I doubt he sat down and thought "If I get caught, I'll only get 3 1/2 years, which isn't too bad. Now, if I would get 10 years, that's another story..." I doubt he even knew the specific penalties for doing this. It seems to me he assumed he'd never get caught.
I think others reading this article will be deterred by the thought of losing 3 1/2 years of their life, and having their life after prison ruined in many ways. For example, try to explain a 3 1/2 year gap in your employment history during a job interview. And for the ones who aren't, I don't think a 10 year sentence would somehow deter them.
I don't think this guy is likely to commit another such crime after his release. I doubt he figures that 3 1/2 years in jail and putting his life back together isn't that big a deal and planting another logic bomb feels so good that it's worth it to do it again.
The only other motivation for punishing a crime is vengeance, an emotional feeling of hurting someone who tried to hurt us. That seems a poor motivation for taking away even more of someone's life.
He did something malicious that could have caused a lot of problems. He needs to be punished. But the punishment seems way out of proportion to what's needed to reduce crime.
What annoys me about this is not the sentence, it's the way that corporations can get away with doing the same thing.
If malicious software is a bad thing -- and it is -- then let's punish everyone who does it. Starting with Sony when they put a rootkit in CDs. But of course, Sony are a big corporation, so that makes it OK.
For completeness' sake, there is a third reason for incarceration - The prisoner can't commit new crimes while detained. Not that it matters in this case.
If you'd be willing to take the time to dig something up on that I'd love to read it.
It seems surprising to me that potential damages would not be taken into account. By doing so, the accussed would essentially be rewarded based on chance - at least in this case.
Ok, let me dig. It's been a while and I'm not a lawyer.
Looking at the actual indictment, I think he was charged with just violating Section 1030 (a)(5)(A)(i) of the U.S. Code. I don't think the other two sections mentioned are separate charges.
If you've never read section 1030, it's surprisingly clumsy and vague to us non-lawyers. Two important things for most cases are that generally any computer that is (or even 'can be') connected to the internet is considered to be 'protected' as it may potentially be involved in interstate commerce. The second this is that for this section to apply, there must be at least $5000 in damages involved.
Then you can go look up sentencing guidelines. It's important to realize that these 'guidelines' are a lot more than just suggestions for federal judges. They can go outside of these guidelines but rarely do. http://www.sentencing.us has a great calculator. That quickly tells us to use section 2B1.1(a)(2) of the guidelines.
If you go look at those guidelines, there's a chart in (b)(1) that shows how much his base offense level would be increased depending on the damages. From the descriptions I've read, I would think the damage amount would be less than $120,000 (lost time, hours it took to clean up) so that's a +8 level increase.
Then there are a number of special modifiers that can increase the 'level' of the sentence guideline. It looks like (b)(14)(B) might apply due to the financial institution aspect, so that would be a +4, except if I read the awkward combination of (C) and (D) correctly, this automatically pushes him to a level 24.
The table takes his criminal history into account, which was likely none. Then we need to look at his level, which we still don't know.
If he caused under $120,000 in damages, his level should be a base of 6 plus 8 for the dollar amount. He could reduce this by 1 or 2 levels by accepting responsibility or other things. But if he was at a level 14, his sentence guideline should be 15-21 months. I would think that the damage amount could be even lower than that, especially if it had to be proved in trial. This is why I made my original statement that I thought it sounded quite high.
So they must have applied the (b)(14)(B) part to push him to level 24 for a range of 51-63. In which case his sentence of 41 months is then too low. So if he "accepted responsibility" he could reduce his 24 to a 22, getting him right at the 41-51 month range. Judges would almost always apply the lowest end of the range to a first time offender.
I think his 41 months can be split into two phases so he could spend half of it in an actual prison and then the rest on 'supervised release' - either monitored home detention or in a halfway house. He might even be able to spend the entire time on 'supervised release'. I couldn't find it but section 1030 offenses used to have a clause about mandatory 6 months 'imprisonment'.
Due to his offense level, he could have gotten 5 years probation, but 3 is typical. He will be required to make restitution to the victim for the damage amount. There's also a fine table that shows him with a $7,500 to $75,000 fine range. He'll have to make his best effort to pay those.
So that's the mechanics of federal sentencing.
This is something I wish they covered in every school program. It's amazing to realize that one angry act by a programmer or IT person could result in very severe consequences. So few people in our field realize how stiff the penalties can be, so this law isn't much of a deterrent.
5000 Servers. A "Senior Engineer" discovered this script. Probably it was a cron job or something which they review regularly?
Would be useful to know how exactly they got to that one script. Must have real good review practices , audits and logging in place if they were able to find it before it did the damage and then collect evidence to trace it back to the perpetrator.
[quote]
If the malicious script had gone undiscovered, it would have disabled monitoring alerts and all log-ins, deleted the root passwords to the approximately 4,000 Fannie Mae servers, then erased all data and backup data on those servers by overwriting with zeros.
"Finally, this script would power off all servers, disabling the ability to remotely turn on a server," said the government's complaint. "Subsequently, the only way to turn the servers back on was physically getting to a data center."
[/quote]
He added malicious scripts to the bottom of a legitimate one? I have seen Wordpress hacks obfuscate themselves ten times as cleverly. For example, by eval()ing rot13(), gzipped, and base64()'d code included from a file with a legitimate-looking name.
Does anyone know what the actual "logic bomb" consisted of?
My money is on a crontab that executed a simple set of ssh command attacks on the specified date.
As per the article, to destroy "all data, including financial, securities and mortgage information," it would be as simple as an "rm -rf" across multiple servers. Except for one critical item, he would have to have root access on all those servers.
Either the scope of his potential damage was very small, or Fannie Mae had some terrible security and change management policies in place.
> During this time Makwana had root access to all of the main
> systems, credentials which the company failed to revoke until
> the evening of the day of his layoff.
> His intention was nothing short of replacing the entire financial
> data, including the backups, from all of the company's production
> servers, with zeroes.
> the admin appended malicious code to a legitimate script, leaving
> a page-worth of blank lines between the two in order to avoid
> detection.
> Had this malicious script executed, engineers expect it would
> have caused millions of dollars of damage and reduced if not
> shutdown operations at Fannie Mae for at least one week.
During this time Makwana had root access to all of the main systems
This quote above, and the entire article boggles the mind. I've worked with big and small organizations that protected root on <10 machines like it was the key to preventing aging.
Still, somebody has to have it. If the number of people is too low, you risk them all being unavailable when you really need them. And there isn't a whole lot you can do to stop a malicious actor who already has root.
Not sure this matters much. Most places I've worked have considered local root exploits not worth patching. So if you have a user account, you have root.
Or they have an automated system that has root access to everything (say, to push config changes), and he had access to that system, or he had a way to crash/corrupt their SAN, or they only do black-box testing and not full code reviews (and the next guy to get assigned a bug in that same program found it), or they have code reviews that can be dodged with faked documentation, or...
If he was part of the SA team for their production systems, it's likely he DID have root access to all of them, and that it was legitimate and had business justification. Even if he didn't have explicit root access, it's even more likely he had direct physical access, which is generally less carefully protected by IT policies and is usually all or nothing.
Granted, this isn't just run of the mill data, and Fannie Mae could have certainly had significantly better security policies in force, but I don't think they were below average for a corporation in their security policies.
How did they prove in court that it was planted there by him ? After he gave his laptop away, everything could have happened to it. Maybe just a cheap trick to punish him for something they couldnt 'prove'.
"the malware was designed to spread throughout the Fannie Mae network of computers and destroy all data, including financial, securities and mortgage information"
Not really malware though, that sounds like a good thing.
"the malware was designed to spread throughout the Fannie Mae network of computers and destroy all data, including financial, securities and mortgage information"
Sounds like a prototype for the toxic mortgage derivatives spreading throughout the banking system.
