Developer sentenced to prison for activating “kill switch” to avenge his firing
62 comments
·August 23, 2025pm90
The bigger issue that nobody seems to have addressed is how a single developer could have a machine that only he had access to that could run this code with admin privileges over their ActiveDirectory. Eaton should immediately explain what kinds of safeguards it has instituted to prevent this from happening again. If I were the CEO I would be thanking this person to have revealed this kind of access control vulnerability.
eurleif
Yes, and this is especially concerning because Eaton makes IoT devices. Imagine the damage a disgruntled employee could do by deploying malicious code to devices on millions of consumers' networks. A company of this size, with this large of a blast radius, should be highly diligent about internal threats.
paulddraper
Why do you think he had admin access to Active Directory?
Regardless, it should be pretty obvious that if an attacker gains RCE, they can do a lot.
gpvos
He could prevent logins of other people. That means a rather high level of access.
waltbosz
The article says he named programs after himself but also that he tried to evade detection.
How crazy would it be if he were framed.
analognoise
4 years for that is absurd.
We have an outright criminal at the top, healthcare CEOs can kill you with Excel by the tens of thousands, but a company loses some money and the rules suddenly apply?
What an absolute joke.
null
windowshopping
Well this seems pretty cut and dry.
b_e_n_t_o_n
Four years feels like a long time for this...
JumpCrisscross
It was premeditated. It caused actual damage. He doesn’t appear to have done anything to stop it once is started.
He gets points for style. But this is novel behaviour that has to be discouraged.
null
null
b_e_n_t_o_n
Yeah I know, it just feels long for what is almost a victimless crime. I'm aware the company lost money and therefore the shareholders etc etc.
I feel like 2 years would have made sense to me.
umanwizard
How is this a victimless crime or even almost a victimless crime? I’m confused by your post — you say it’s “almost a victimless crime” and then immediately describe who was victimized and why. So what do you mean? Just that it didn’t involve physical violence?
paulddraper
Length of sentence aside, your notion of victimless crime is wild.
Mugging is “almost a victimless crime” by that standard.
And this was significantly more victim-ful than that.
happyopossum
> actual damage
Damage is a funny word here. Yes - money was lost, but no building were destroyed, nor people physically harmed. “Actual damage” makes it sound like a lot more than lost time and a few extra contracts paid out.
rogers12
As a thought experiment, consider how much monetary loss and how much time wasted you would tolerate before "it's just money bro" starts wearing thin.
cmcaleer
Monetary damages are damages, I don't think this is particularly complicated. If I made it so you couldn't get several weeks of your wages for hours that you worked you would be rightly furious with me and feel like a victim.
jcranmer
I think Terry Pratchett laid it out best:
> “Do you understand what I'm saying?" shouted Moist. "You can't just go around killing people!"
> "Why Not? You Do." The golem lowered his arm.
> "What?" snapped Moist. "I do not! Who told you that?"
> "I Worked It Out. You Have Killed Two Point Three Three Eight People," said the golem calmly.
> "I have never laid a finger on anyone in my life, Mr Pump. I may be–– all the things you know I am, but I am not a killer! I have never so much as drawn a sword!"
> "No, You Have Not. But You Have Stolen, Embezzled, Defrauded And Swindled Without Discrimination, Mr Lipvig. You Have Ruined Businesses And Destroyed Jobs. When Banks Fail, It Is Seldom Bankers Who Starve. Your Actions Have Taken Money From Those Who Had Little Enough To Begin With. In A Myriad Small Ways You Have Hastened The Deaths Of Many. You Do Not Know Them. You Did Not See Them Bleed. But You Snatched Bread From Their Mouths And Tore Clothes From Their Backs. For Sport, Mr Lipvig. For Sport. For The Joy Of The Game.”
devjab
I'm not sure what is meant by supervised release but there is also three years of that after the initial four. He apparently also gets a permanent record as a felon, so I imagine it'll be hard for him to find new work. Without that, can he even have health insurance? He als can't vote in elections right? Sounds like his life is frankly going to be ruined.
From a Danish perspective I think that this is rather cruel.
jrockway
It varies by state. In many states, felons can register to vote immediately after release (even while on parole) and aren't disqualified from programs like Medicaid. So it's not a death sentence despite what the system intends.
zonkerdonker
"Chinese national" feels like a pretty critical detail to this sentencing time.
chaosbolt
It is, there are rapists that get less prison than this.
andrewflnr
Well, there are always two directions you can go to fix a double standard.
zx8080
It's just a punishment for being too foolish: if he scheduled it to switch some time after he's fired, that would be more funny to investigators and he would get less years. /s
AtlasBarfed
Should have named it cryptolockDefender() and argued it was to protect against someone disabling his account to lock out the administrator.
null
maxbond
Reminds me of the Siemens contractor David Tinley, who programmed an Excel spreadsheet to deliberately break periodically so that they had to hire him to "fix" it. But then it happened while he was on vacation, and he was forced to explain to Siemens employees how to "fix" the spreadsheet.
Tinley plead guilty and got 6 months.
https://www.zdnet.com/article/siemens-contractor-pleads-guil...
encom
Who answers their work phone while on vacation? I don't even have mine turned on outside of working hours. What a rookie.
pflenker
He was a freelance contractor. Being available basically all the time is part of the job.
esperent
I worked as a freelance contractor for years. Being available is not part of the job, in fact not having to be available at specific times, aside from occasional planned meetings, is one of the major perks of the job.
If I was expected to be available all the time, you can be damned sure I would have expected to be paid by the hour for that.
maxbond
Answering your phone is one thing, but not adding a critical date to your calendar!?
paulddraper
Who carries a separate work cell phone?
jen20
Anyone who doesn’t want some corporate IT administrator to be able to fat finger bricking their phone, or install corporate spyware on a personal device.
SturgeonsLaw
No only do I have a separate work phone, but my personal phone has two SIM cards (one physical and one eSIM), one of those numbers is my general spam number that I give to businesses and acquaintances, and the other is my actual personal phone number that only the people close to me in real life get. I have a widget on the home screen that can disable/enable the spam SIM card at will.
Makes it real easy to control how available I am to different groups of people.
mingus88
I do, daily.
After work, I put my work phone away. I have been in this industry for over a decade and I wouldn’t have it any other way.
I will never let an employer steal time away from my family again. Especially now that they want us all to RTO. Office time is theirs, home time is mine.
hamburglar
People who are serious about a wall between work and personal business.
jajko
Most of us don't have work phones, that's stuff from early 2000s at best. Lugging around another brick just for work, no thank you.
That being said, answering anything work related outside of work, unless they are your truly close friends is lame and considered a character weakness, to be abused. And don't expect any extra bonus points for that.
Having a good private (aka actual) life you are willing to defend ain't a sign of weakness, in contrary.
mingus88
Every serious place I’ve worked at wants to put MDM on all devices with corp data on it. So one you leave, try can wipe all the apps with their data on it
And that’s fair. But I don’t want that on my personal devices. It’s literal spyware.
If work wants that level of control on my phone, they can just give me a phone they own outright. I’ll give it back when I’m done working there.
Seriously, it’s a huge mistake to mix personal and professional data on any device. Too many risks I want nothing to do with.
prmoustache
> Lugging around another brick just for work
Mine just stays on my desk when working and goes to a drawer when not. It is basically just a 2FA device. There is nothing to lug around.
MemesAndBooze
balamatom
This is like the archetype incarnate.
>Ranked #4 in "100 Best Corporate Citizens" of Corporate Responsibility Magazine in 2013, also ranking in Top 50 for Six Consecutive Years.
Fucking bozos!
ReptileMan
The article is pretty light on what exactly the charges were. Anyway he should have been slapped with a lot more monetary and probably less prison time.
“A disgruntled developer has been sentenced to four years in prison after building a ‘kill switch’ that locked all users out of a US firm's network the moment that his name was deleted from the company directory following his termination.”
Morality aside, that’s kind of hilarious.