from the credentials-still-worked-FIVE-MONTHS-after-he-left? dept.
Sudhish Kasaba Ramesh, who worked at Cisco from July 2016 to April 2018, admitted in a plea agreement with prosecutors that he had deliberately connected to Cisco's AWS-hosted systems without authorization in September 2018 – five months after leaving the manufacturer. He then proceeded to delete virtual machines powering Cisco's WebEx video-conferencing service.
"During his unauthorized access, Ramesh admitted that he deployed a code from his Google Cloud Project account that resulted in the deletion of 456 virtual machines for Cisco's WebEx Teams application, which provided video meetings, video messaging, file sharing, and other collaboration tools," the US Attorney's Office for the Northern District of California said in a statement.
According to prosecutors, Ramesh's actions resulted in the shutdown of more than 16,000 WebEx Teams accounts for up to two weeks, which cost Cisco roughly $1.4m in employee time for remediation and over $1m in customer refunds.
[...] According to a court document[*], Ramesh is in the US on an H-1B visa and has a green card application pending.
[...] Ramesh faces up to five years in the clink and a fine of $250,000 when he is sentenced, an event scheduled for December.
[*] STIPULATION AND (PROPOSED) ORDER CONTINUING DATE FOR ENTRY OF PLEA AGREEMENT (PDF)
(Score: 5, Insightful) by coolgopher on Monday August 31 2020, @06:09AM (31 children)
Sounds to me like he accidentally ran a CloudFormation [amazon.com] with the wrong credentials.
The blame on this one sits SQUARELY with Cisco. There is NO WAY his creds should still have been operational. The affected customers should have an excellent case against Cisco on the grounds of negligence.
(Score: 4, Interesting) by Mykl on Monday August 31 2020, @06:29AM (2 children)
Just watch Cisco equate "unauthorised access" with "hacking" and leave it to the unwashed masses (i.e. their customers) to draw their own conclusions.
(Score: 5, Insightful) by bzipitidoo on Monday August 31 2020, @10:13AM
Yeah, this story raises my suspicions about a number of things. First, I'm guessing Cisco is engaging in the tradition of scapegoating. They screwed up. Big. Now, they're trying to blame it all on a former employee, and are seeking extreme punishment. There's no excuse for anyone to have that much access 5 months after they have left. I also question why Cisco's systems were ever set up with what seems a near single point of failure. Why did one person ever have that much power over so many systems, even when they were employed there? Also, is it so hard to set up new systems? Restore from backups, that is hard now? Where is their failover? Their secure backups? This is fricking Cisco, too. Majorly embarrassing to be caught living dangerously with their data. What is this saying, that the cloud isn't the answer to data safety after all?
Next, are Cisco's claims of millions in damages to be believed? 16000 accounts, too. That sounds like hysterical exaggeration of the alleged damages, to smear the defendant as an even eviler hacker. One thing I have seen over and over is that hackers scare normies witless. That's why they threaten the accused with prison time. They're trying to make an example of him, to give hackers more to think about. Meanwhile, the far right wackos committing real violence and bloodshed are not even being charged.
If the former employee did access systems, that alone was a damn fool thing to do. Then to engage in a little digital vandalism was far, far worse. No matter how much the former employee deserves to be vandalized, it's not worth it.
(Score: 3, Informative) by canopic jug on Tuesday September 01 2020, @03:37AM
Just watch Cisco equate "unauthorised access" with "hacking" and leave it to the unwashed masses (i.e. their customers) to draw their own conclusions.
Yep. And a few hours later, we fine the corporate megaphones posing as trade press exclaming, "Former Employee Admits Hacking, Damaging Cisco Systems [securityweek.com]". In that article, they lead with "A former Cisco employee has pleaded guilty to hacking charges related to him accessing the networking giant’s systems and causing damage."
That is ridiculous.
Money is not free speech. Elections should not be auctions.
(Score: 2, Informative) by Anonymous Coward on Monday August 31 2020, @06:48AM (2 children)
Sure, Cisco should have revoked his credentials... standard procedure. But there's no way this is an accident.
(Score: 3, Interesting) by coolgopher on Monday August 31 2020, @07:04AM (1 child)
Seems quite plausible to me. You normally end up keeping creds for a bunch of AWS accounts in your ~/.aws/credentials file. Depending on your laziness you just mark whatever you're working on as the default creds. Step away from that box for a month (or five) and by the time you come back you might've forgotten you'd changed the defaults.
(Score: 2) by legont on Monday August 31 2020, @11:59AM
Yep. Then you run "remove all" script you wrote in a minute to avoid any future billing from AWS just while your wife is sreaming do fucking packing as you are leaving the US for good.
It is AWS and Sysco fault and they are likely scapegoating.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Booga1 on Monday August 31 2020, @06:52AM (2 children)
No kidding. As a sysadmin I've had all access revoked as soon as I locked my machine and stepped away from my desk on the last day. It shouldn't be some giant task to do that. It should be as simple as disabling or deleting an account.
At the VERY worst there might be service accounts he had access to, but even with that they're supposed to be rotating passwords regularly. Why, oh why did he have any access at all for MONTHS after he left? He's to blame for his actions, but they should never have been possible in the first place.
(Score: 1, Touché) by Anonymous Coward on Monday August 31 2020, @07:31AM
Indeed. We have two mishaps, one a firm who did not revoke credentials. Two an engineer who used said credentials instead of losing them to "some hack"😁.
(Score: 2) by Grishnakh on Monday August 31 2020, @03:21PM
This is basically like a bank that gets robbed by their former employee because they left the doors unlocked or didn't bother to change a safe combination after he left, and then tries to blame the ex-employee. What kind of idiot would trust their money to that bank?
(Score: 3, Informative) by Osamabobama on Monday August 31 2020, @04:22PM
To recover damages?
Looks like that's already been taken care of.
Appended to the end of comments you post. Max: 120 chars.
(Score: 1) by fakefuck39 on Monday August 31 2020, @10:35PM (20 children)
They issued refunds. What, pray tell would the excellent case against Cisco be here? If you buy a laptop on Amazon that you needed for an important meeting, you power it up, and it doesn't work, do you now have a case against Amazon because they screwed up your meeting? What if you're hosting a dinner with your boss, you buy some apples and they taste bad, ruin his mood, and you don't get a promotion - does the grocery store owe you lost future wages?
If you leave your house door open, get robbed, I guess the blame sits CIRCULARLY with you? No, the blame is with the guy who robbed your house. If you leave a root account without a password, and a guy logs in and trashes your server, the fault is with him. You were stupid for not protecting yourself against criminals, yes. But you did not delete anything.
If I walk around Chicago without my trusty knife and get robbed and beaten by a bunch of nigs, the fault is mine for forgetting the knife. But the fault is not mine for getting robbed. There's a big distinction here. The blame for not securing credentials is with Cisco. The blame for the deleted VMs sits with the guy who deleted them.
(Score: 1, Troll) by khallow on Tuesday September 01 2020, @12:01AM (19 children)
If you buy insurance for a disaster and the insurance company refuses to pay, does that mean refunding your premiums makes up for that? Companies like Cisco provide more than just a little gear. They provide guarantees against things going wrong.
(Score: 2, Insightful) by fakefuck39 on Tuesday September 01 2020, @05:58AM (18 children)
That's a strawman. This is not an insurance plan. It's a product you bought, which did not work. Their guarantees are for the product. They do not guarantee your business meeting will go well. If they don't meet the guarantees for the product, you don't pay for the product - which is done with a refund. An insurance plan guarantees to protect you against the outcome of something in your life. Cisco's are only related to the product, not to your business. I gave plenty of comparable examples, so when one doesn't work you make stuff up.
I literally have been selling this stuff for over a decade at various VARs. You're an idiot.
(Score: 1) by khallow on Tuesday September 01 2020, @10:53PM (7 children)
Depends what they paid for. Cisco doesn't just sell products.
(Score: 1) by fakefuck39 on Wednesday September 02 2020, @12:34AM (6 children)
They paid for an enterprise version of WebEx. That's made very clear by the article. Do you know what Cisco Teams, Spark, and WebEx are? Of course you don't. Nice of you to chime in as the expert on company liability of those products. Of course you're right, and the guy selling this shit for 20 years doesn't know what he's talking about. You're only right in your own little world that includes you and yourself though. Every time you open your mouth, the real world just laughs at the idiot making his idiocy visible.
(Score: 1) by khallow on Wednesday September 02 2020, @04:55AM (2 children)
Funny how true that is. I see the problem right here. You merely sell it. Classic argument from authority fallacy.
(Score: 1) by fakefuck39 on Wednesday September 02 2020, @06:36PM (1 child)
Right - I sell those contracts for Cisco product that you are talking about. I've seen them, written them, deployed them, and signed them with customers. You don't even know what the product is.
(Score: 1) by khallow on Friday September 04 2020, @02:41PM
Once again, demonstrating you don't know what you're talking about. You're just a narrow viewpoint without much in the way of relevant expertise.
You have yet to say anything to show that is relevant.
(Score: 1) by khallow on Wednesday September 02 2020, @05:10AM (2 children)
"Enterprise" is not just a label added to a product to make it cost more. It means the very things I've been talking about - insurance for various sorts of failures so that a company can apply these products to relatively valuable uses with some expectation that the damn thing will work.
(Score: 1) by fakefuck39 on Wednesday September 02 2020, @06:34PM (1 child)
"Enterprise" is a market vertical, such as Healthcare, Commercial, and SLED. You have no idea what you are talking about. There is no product Cisco sells where they give you insurance for failures. They give you an uptime SLA, and if it is not delivered, you get some money back. Those SLAs are the lowest for Commercial, higher for Enterprise, higher for SLED, and the highest for Healthcare. There are no guarantees on your business impact with any licensing model - only SLAs and SLOs for the product itself.
(Score: 1) by khallow on Thursday September 03 2020, @03:12AM
It's also a market horizontal like Walmart. Or any business that chooses to pay for more than bare bones.
What I find remarkable about this post is your attempt to snow us with acronyms and jargon. What was the point of bringing in the irrelevant detail of a "market vertical", that is, a niche market (not a paying Cisco customer I might add!), or undefined acronyms like SLA (service level agreement), SLED (state or local governments, or education), and SLO (service level organization). We can ignore that crap because it's irrelevant.
Here, an uptime SLA that gives you money back if it's not delivered? That's insurance. Thanks for confirming my previous post in such an entertaining way.
(Score: 1) by khallow on Tuesday September 01 2020, @11:08PM (4 children)
Sounds like you might need to sell this for a few more decades then. Wouldn't be the first time that someone is substantially ignorant of their own area of expertise.
(Score: 1) by fakefuck39 on Wednesday September 02 2020, @12:31AM (3 children)
Let's see. Two replies to the same comment. No actual rebuttal, just "you're wrong" without saying why. And a personal attack on someone who has been doing this for a living.
You have autism. You should go to a doctor. They have pills for that.
(Score: 1) by khallow on Wednesday September 02 2020, @04:49AM (2 children)
While you were doing that, I was noting relevant things like Cisco sells other things than just products.
It's worth noting that Cisco doesn't price its products at bare product/commodity level. A huge part of their value add is that they provide things like repair service, reliability guarantees, etc - you know, insurance against things going wrong. Where is consideration of that in your posts?
You might not be lying and do some sort of value added reselling or whatever it is that VAR means for you. But if you did, you probably wouldn't have chosen to defend this particular hill in the first place.
Moving on, another thing that could bite Cisco here is their own marketing for WebEx. They promise security (for example, here [cisco.com], here [webex.com], here [cisco.com], and here [forbes.com]).
I bet if I were to drill deeper into those advised "best practices", I'd see something about revoking privileges of ex-administrators promptly. So Cisco likely isn't following their own recommended best practices - always damning evidence in a court case.
Even an agressive EULA-style contract for which a user effectively waives all rights can still provide a huge opening for lawsuits, if the marketing and public statements are vastly divergent from the reality of the goods and services provided. False advertisement and fraud are things which neuter contracts. And you can be on the hook for quite a bit, if your customers' expectations concerning that marketing and what they put at stake are deemed reasonable.
As a final remark, you termed my initial post a "straw man". Sorry, it's not. A straw man is replacing an opponent's argument with a fake one that is easier to defeat. I suggest you educate yourself on what these terms mean so that you don't make the same mistake again.
(Score: 1) by fakefuck39 on Wednesday September 02 2020, @06:42PM (1 child)
>repair service, reliability guarantees, etc - you know, insurance
I do know. A support contract on equipment and soft solutions has zero to do with insurance. It also applies to the product, not to what you do with that product. You literally have zero idea of what you are talking about. A best practices guide is not a contract. It's general guidelines for implementation specialists to design the system. A technical document for the installer and administrator, not a legal document. It's like a man page for a command.
(Score: 1) by khallow on Thursday September 03 2020, @03:19AM
Except of course, it is insurance. After all, what is insurance? It's risk mitigation via some sort of asset or support that kicks in when things go wrong.
(Score: 1) by khallow on Wednesday September 02 2020, @04:51AM (4 children)
Which just stopped working.
But if your business meeting doesn't go well, because well, the product didn't work, that becomes a Cisco problem. And if it didn't work because Cisco did something bone-headed stupid, I think that opens up Cisco to a lot of liability.
(Score: 1) by fakefuck39 on Wednesday September 02 2020, @06:38PM (3 children)
It does not become a Cisco problem, nor does it open up Cisco to any liability. If Dell sells you a laptop for a video-interview, and the laptop breaks so you miss your interview and don't get the job, they are not liable for your lost wages. They are only liable for the laptop replacement or refund.
(Score: 1) by khallow on Thursday September 03 2020, @03:24AM (2 children)
I outline a way [soylentnews.org] it does just that. And really what's the point of insisting that blatant, poor business practices aren't a problem?
(Score: 1) by fakefuck39 on Thursday September 03 2020, @09:17AM (1 child)
Just letting you know, I didn't read any of your new comments. You need to take your meds buddy, and put down the crack pipe.
(Score: 1) by khallow on Thursday September 03 2020, @01:43PM
Too bad. You might have learned something, if you had let your guard down.
(Score: 4, Touché) by Frosty Piss on Monday August 31 2020, @06:45AM
And nothing of value was lost.
(Score: 0) by Anonymous Coward on Monday August 31 2020, @09:19AM
Leaving Cisco, leaving Vegas; it's all the same, everything stays there, erased in perpetuity. "What happens is Cisco, stays in Cisco!" Strange motto, for a network company.
(Score: 3, Touché) by looorg on Monday August 31 2020, @11:19AM (1 child)
Good news Ramesh! You get to stay. But only for five years. The government will pay for your room and board to.
(Score: 0) by Anonymous Coward on Monday August 31 2020, @12:19PM
Since Trump defunded the office that handles green cards, it would have taken him five years to get one anyway. Maybe after he gets out, he'll be in the last stage to maybe getting it approved.
(Score: 2) by GlennC on Monday August 31 2020, @01:33PM (9 children)
To me, both parties made mistakes.
Cisco should have disabled Ramesh's accounts immediately after his employment ended.
Ramesh should also have deleted any login credentials on his systems.
However, given that Ramesh is a "foreigner," and Cisco is "an upstanding American company," guess who's going to end up taking the fall?
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 0) by Anonymous Coward on Monday August 31 2020, @03:12PM (2 children)
Iran?
(Score: 0) by Anonymous Coward on Monday August 31 2020, @06:58PM (1 child)
No, obviously it's China's fault, because everything bad that happens is their fault.
TRDT
(Score: 0) by Anonymous Coward on Tuesday September 01 2020, @04:00AM
TRDT?? Probably not Tag Rugby Development Trust
(Score: 3, Insightful) by Grishnakh on Monday August 31 2020, @03:25PM (5 children)
Cisco should have disabled Ramesh's accounts immediately after his employment ended.
Ramesh should also have deleted any login credentials on his systems.
If Ramesh had deleted login credentials, he wouldn't have been able to log in and trash stuff. Why would he want to do this?
This is like blaming the ex-employee of a bank for coming in, using the safe combination that he remembers from when he worked there, and stealing all the bank's cash. Who's really to blame? The ex-employee? No, because if you trusted everyone to not ever steal anything, then we wouldn't need safes and locks and banks could just leave their doors unlocked and cash lying around. The bank is to blame for having shitty security. Of course, the ex-employee should be *prosecuted*, but the *blame* falls on the bank here. The bank is the one that needs to be sued, because it had a duty to protect the customers' money, and it failed due to negligence.
(Score: 2) by GlennC on Monday August 31 2020, @03:38PM (1 child)
Perhaps to avoid potential liability? I would mention professional courtesy, but that appears to be beyond the capacity of many these days.
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 2) by Grishnakh on Monday August 31 2020, @11:35PM
For normal people, sure, but obviously this guy had it out for Cisco, so why would he want to delete his login credentials if it means he can't trash their data and cause millions in damages (allegedly)?
Your post seems to me like thinking a hit man should just get rid of his gun.
(Score: 3, Interesting) by Anonymous Coward on Monday August 31 2020, @05:28PM (2 children)
Cisco has aweful history of treating employees and half of the shit they fling is borderline illegal which is why they require H1Bs. A junior of mine had a job of administration their Jenkins server running over kubernetes. He triggered a clone of a node and for some reason that triggered an alert. It was pretty much his job and he had taken approval from the management etc. Of course. Guess who got involved? The legal department. The Cisco HR contacted him for explanation, asked him to share his personal gmail login and password. He naively shared without, and lost complete access to his email that is linked to Facebook, bank, tax authority etc.
I mean, we can all read that and think of a couple of mistakes he did but what would we have actually done in his place, probably not too different - because we think USA is better because it has rule of law.
A harsh lesson but the point is, Cisco has history of shitting over employees and naturally has attracted smart shitty characters in its positions of power. I am sorry for Ramesh. He has done more hard work and sacrificed more than most of the people complaining about H1B, but some things, like race gender and parents economic condition don't completely go away.
(Score: 2) by inertnet on Monday August 31 2020, @08:18PM
I was going to say that he'll never be able to get an honest job for the rest of his life, but (from TFA):
(Score: 1) by khallow on Wednesday September 02 2020, @05:19AM
My take is that once you get larger than a small tribe a place with rule of law will be better than a place without rule of law. It's that much better than its absence. People forget the European problem that led to the development of the concept of rule of law. Once you no longer have formal regulations that apply to everyone with well understood law creation, the powerful just make up their own rules on the fly.