Computer logic bombs and journalistic logic flaws
Posted by metaphorical on 8 January 2007
What exactly is Yung-Hsun Lin guilty of, if anything?
Lin, a sysadmin at Medco Health Solutions Inc., an on-line and mail-order pharmacy based in Franklin Lakes, N.J., is accused of setting a computer “logic bomb” that “would have “wiped out critical data stored on more than 70 servers.”
According to a TechWeb story of 6 January,
Had the logic bomb gone off, prosecutors say, it would have eliminated pharmacists’ ability to know whether Medco customers’ new prescriptions would interact dangerously with their current prescriptions. It also would have damaged the company financially, they say.
The story says that a co-worker “found the so-called logic bomb before it went off.” A U.S. Dept of Justice news release back on 19 December says:
The logic bomb initially failed to “detonate” on the intended day, was allegedly modified by the defendant to execute again, but was then detected by the company and neutralized.
A look at the alleged facts, though, leaves one a bit puzzled. Lin may be guilty of a crime, but it’s not entirely clear what the crime is and how the government is picturing it to have occurred. Let’s look first at exactly what Lin is accused of. From the DOJ release:
Lin is charged with two counts of fraud related to activity in connection with computers—one count for exceeding authorized access with intent to cause damage in excess of $5,000, the other for the impairment, or potential impairment, of the medical examination, diagnosis, treatment or medical care of one or more individuals.
That’s a nice chunk of legalese to parse, but it seems that an essential precondition of each count is that the “logic bomb” was active and set to go off on a particular date.
But was the bomb active, and, if so, when?
A look at the Feds’ case, represented in a very nice timeline in the TechWeb story, makes one wonder.
The timeline, which is entitled “The Feds’ Case” says:
- Oct. 3, 2003
Lin allegedly creates malicious code, days before a Medco layoff, setting it to go off on April 23, 2004.
- Oct. 6, 2003
Lin is spared the ax.
- April 23, 2004
Alleged network sabotage fails because of a coding error. Lin later allegedly modifies the code to go off on April 23, 2005.
- Jan. 1, 2005
A co-worker stumbles across the malicious code. Medco IT security team “neutralizes” it.
- Dec. 19, 2006
FBI arrests Lin, who’s charged with two counts of computer fraud.
- Jan. 3, 2007
Lin pleads not guilty in federal court, is released on bail.
Does that really make sense? Assuming Lin planted an active logic bomb on 10/3/03, would he really have kept it intact after being “spared the ax” three days later? And then it turns out that the logic bomb was actually flawed?
Isn’t it far more likely that if Lin planted the bomb on 10/3, he deactivated it after 10/6, but left the now-inoperative code in place? Then, perhaps Lin fiddled with the code again, either making it operative, or just resetting the potential date to 2005? If that’s true, then Lin might be guilty of something like what the government alleges, at least for three days in October 2003, and perhaps for an additional stretch of time as well.
Logic bombs certainly exist and they’re a problem that has to be addressed by IT departments and, ultimately, by law enforcement. But lets be clear about what they are and are not.
Three weeks before the Lin indictment, also in N.J., Roger Duronio was convicted of computer fraud. In his case, Duronio, while working at UBS Paine Webber, planted code that would delete files, set it go off at a future date, resigned, and then played the company’s stock short expecting the price to go down when the files were deleted. That’s a logic bomb of sorts, but it’s different from ones set for revenge or blackmail.
In the Lin case, if the government’s account is wrong in its dates, and perhaps in the so-called “neutralization by other Medco employees, maybe it’s also wrong in its understanding of the consequences of Lin’s code. And if there the TechWeb timeline inspires these obvious questions, why isn’t TechWeb asking them?