Logic Bomb Fails to Cripple Medco’s Systems

By kurifodo at 2:09 pm on January 27, 2008 | 2 Comments

In a recent article on Computerworld, it was reported that a former system administrator of Medco planted a logic bomb which was intended to cripple the company’s network. Medco deals with prescribing drugs and various other heath services. Due to the nature of this attack, the well-being of customers of Medco were put at risk. Fortunately, the logic bomb did not succeed, and it is reported that the first wave of the attack failed due to buggy code, and subsequent waves were detected and prevented before they could trigger. The former system administrator will now serve 30 months and has to pay $81,200 in damages.

It is mentioned that upcoming layoffs could have triggered the system administrator (Lin) to commit this offense. Medco had just been restructured, and layoffs had taken place, but Lin did not lose his job. However, there were more layoffs to come, so perhaps in anticipation, Lin planted the logic bomb. It is difficult to say if there could have been anything done to prevent this offense. Since Lin was a system administrator, it is difficult to stop or deter a person of this position if they are willing to commit such a serious offense. I think the best a company could do is respond to actions taken by employees by checking their work, but enforcing a system like this would be too pricey and time consuming to be plausible.

As mentioned before, the impact of this event, if it were successful, could have been very serious. People’s lives could have been lost due to lack of prescription drugs, and others could have been damaged for life potentially. One very difficult question to answer is, what should we do with people like Lin? What kind of punishment is suitable for the crime? Even though it was not successful, the intent to harm was always present. After Lin completes his sentence, should he be trusted to work with a company’s computer systems? Who knows if Lin will have learned his lesson, or if he will be even more upset and “out to get the world.” I would think it is safe to say that a company will never hire Lin to work on their computer systems with this kind of event on his record.

Filed under: Current Events,Ethics,Policy2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by sky

    January 27, 2008 @ 6:04 pm

    I do not understand why we keep hearing about employees planting logic bombs. Do they really expect to get away with it!? I would assume that practically every company would have some sort of version control system that logs all modifications to their code. Writing a chunk of code of course surely is pre-meditated, so they surely have time to think about what they are doing and the consequences. I just don’t understand the mentality that gets people to do this kind of thing i guess. If their logic bomb works, does it remove the record of their actions? I don’t really see how that would work but oh well. If they really wanted to just mess up the company, couldn’t they just like drop a key table from some database, then be like oops, i didn’t mean to do that! It would be hard to take legal action if they claimed it an accident. Or bump some power cable and disc all their servers or something. It just frustrates me to see people without an escape plan. How could they possibly rationalize doing something that they know they’re gonna get hit with a couple of years in jail for.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by jerins

    January 27, 2008 @ 11:54 pm

    This is a perfect example of how people to be hired for their skills in technology for the purpose of in some way working on a computer system need to be selected extremely carefully. Depending on the company being discussed, there are usually many different types of jobs being filled, each with varying levels of possible affect on the company and its endeavors. However it is almost always the case that the people within the company that are working on the technological aspects of the company are usually in a particulary accomodating position to negatively affect the company. This is why the trust of a person’s character should be as important a factor in the hiring of such system administrators as their ability to do the job. In fact, if an administrator turns out to be malicious, the more their technological ability, the more damage they are potentially able to cause.

    I think in general in the computing world, the focus is all too often put entirely on a person’s tech knowledge and ability, ignoring the equally important issues of character and motivations that the person has. Many of the greatest problems in this line of work lies not in technological incompetency (quite to the contrary), but in the morals and goals of those working within the industry. This is an aspect of the computer world that is overlooked far too often.

RSS feed for comments on this post