Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
United States Crime Networking The Courts IT

Sysadmin Gets Two Years In Prison For Sabotaging ISP (bleepingcomputer.com) 133

After being let go over a series of "personal issues" with his employer, things got worse for 26-year-old network administrator Dariusz J. Prugar, who will now have to spend two years in prison for hacking the ISP where he'd worked. An anonymous reader writes: Prugar had used his old credentials to log into the ISP's network and "take back" some of the scripts and software he wrote... "Seeking to hide his tracks, Prugar used an automated script that deleted various logs," reports Bleeping Computer. "As a side effect of removing some of these files, the ISP's systems crashed, affecting over 500 businesses and over 5,000 residential customers."

When the former ISP couldn't fix the issue, they asked Prugar to help. "During negotiations, instead of requesting money as payment, Prugar insisted that he'd be paid using the rights to the software and scripts he wrote while at the company, software which was now malfunctioning, a week after he left." This tipped off the company, who detected foul play, contacted the FBI and rebuilt its entire network.

Six years later, Prugar was found guilty after a one-week jury trial, and was ordered by the judge to pay $26,000 in restitution to the ISP (which went out of business in October of 2015). Prugar's two-year prison sentence begins December 27.
This discussion has been archived. No new comments can be posted.

Sysadmin Gets Two Years In Prison For Sabotaging ISP

Comments Filter:
  • by freeze128 ( 544774 ) on Sunday December 04, 2016 @02:56PM (#53421107)
    You gotta hand it to the guy for negotiating for the rights to the software. He kinda was *TRYING* to do the right thing by making sure he had the proper rights to the software (presumably before he sold it himself). A more unscrupulous man might just have stolen the software and used it to start his own business without any notification at all.
    • ummmm the whole point was he did try to steal the software and scripts first, AFTERWARDS he tried to use the damage he caused as a negotiation tactic to gain legal access. Their was no kinda trying to do the right thing here.
    • You read it wrong. He wasn't trying to to the right thing. He stole the software and by doing that he inadvertently broke the system.

      A smart man would have copied the software as he wrote it.

      • A smart man would have copied the software as he wrote it.

        Or done some of the development of the scripts on his home machines, on his own time, thus considerably muddying the issue of who actually owns the software.

        E.g. - if you see a need for software at work, then do some developing of ideas at home. Maybe ask around here (under an account you don't use at work) to generate some footprint. Get some preliminary work done. Only then take the idea to work.

        Me, I'm still trying to work out how to get contour

    • He kinda was *TRYING* to do the right thing by making sure he had the proper rights

      Or it was disaster management to claim the trashing of the ISP as a side-effect. What's the penalty for trashing your former employer?

    • Re:Smart but foolish (Score:5, Informative)

      by ClickOnThis ( 137803 ) on Sunday December 04, 2016 @03:47PM (#53421351) Journal

      You gotta hand it to the guy for negotiating for the rights to the software. He kinda was *TRYING* to do the right thing by making sure he had the proper rights to the software (presumably before he sold it himself). A more unscrupulous man might just have stolen the software and used it to start his own business without any notification at all.

      There is no way to parse what he did as the "right thing." He stole from his former employer and sabotaged their system. And then tried to extort them for the rights to his software.

      He should have been a professional and just walked away. Or at least he should have talked to a lawyer about his claim to the software he wrote. Although most likely his employment agreement considered it a "work for hire" so he had no claim.

    • He sounds typical of the sort of guy who thinks what he rights at work should be his own property. And also typical of a fired-for-cause worker who won't just let things go and try to fix the problems that got him fired in the first place. People like that are why so many people are escorted out by security when there are layoffs.

  • by Anonymous Coward on Sunday December 04, 2016 @02:57PM (#53421119)

    "Judge Rambo ordered Prugar to pay $26,000 in restitution."

    I guess its better than getting sentenced by Judge Dredd.

    • How do you pay $26k to an entity that's gone out of business? Just do the time - extend it by x months.
      • you pay it to the owners of the business at that time, sounds like it was a small IS so should be a simple matter. does seem incredibly cheap damages bill for an ISP with 500 business and a few thousand general consumer customers when they were out for a week. Perhaps this conviction will lead to more civil lawsuits down the road.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        The bankrupt/out-of-business entity will still have a trustee/ownership of some sort, and creditors against that trustee/owner.

      • by Anonymous Coward

        Somebody still owns that ISP's assets. Two things, though...

        1) Good luck getting $26K from an inmate - at a buck or two a day, twenty-six grand will take a lot longer than two years, and

        2) If the courts determined that he only did $26,000.00 worth of damage, I'm guessing this ISP was probably already circling the bowl. After all, if he was solely responsible for breaking this ISP, one would expect a far higher award for damages, regardless of (1), above.

        And just to ask - what about his (now ex-) fellow em

        • by Kjella ( 173770 )

          Somebody still owns that ISP's assets. Two things, though...

          1) Good luck getting $26K from an inmate - at a buck or two a day, twenty-six grand will take a lot longer than two years, and

          Assuming he had zero assets before the trial. Any down payment on a mortgage, a car in good shape and you're pretty close.

          2) If the courts determined that he only did $26,000.00 worth of damage, I'm guessing this ISP was probably already circling the bowl. After all, if he was solely responsible for breaking this ISP, one would expect a far higher award for damages, regardless of (1), above.

          Probably. It could also be that it was easy to prove he did at least $26k worth of damage, he has no more assets and the trustee wants the bankruptcy settled and think the practical value of a higher judgement is zero. Except for when the RIAA/MPAA/BSA want big numbers for PR reasons, they're often willing to settle for what you have.

      • by Anonymous Coward

        >How do you pay $26k to an entity that's gone out of business? Just do the time - extend it by x months.

        Well, the link says ISP, but the linked press announcement on the DOJ site says he only has to provide restitution, presumably to the owner at the time. Secondly, the article kinda makes it sound like the ISP went under because of this guys sabotage, but it really ceased because it has changed its name to Netrepid and discontinued its dialup network services which was under the Pa Online brand.

      • by AmiMoJo ( 196126 )

        The money goes to the creditors of the defunct company, who likely lost out when it went bankrupt.

        My mum had this happen once. She had an account in credit to the tune of about 3 quid. About six years after the company went bust she got a cheque for 7p. That's about $0.08. I don't know if they subtracted the cost of the envelope, postage and administration from what she was owed.

    • Or Judge Dread. Rude boys don't cry!

  • by adosch ( 1397357 ) on Sunday December 04, 2016 @03:09PM (#53421171)

    As making a living out of being all things 'admin' (sys/network/engineering, ect.), he totally deserves this. This guy is total amateur-hour and quite simply deserves what he got. If it was really about your scripts, then they were probably garbage anyway. Any admin with have a brain keeps copies of their stuff; I actually use version control systems right long with software developers and engineers, so an even bigger reason to manage your domain better.

    I'm sure he had a fair bit of perceived egotism and elitism in his attitude and work ethic, which made the situation what it was and resulted into today for him.

    Even that, if he was able to log on to absolutely anything after his contract was terminated, then shame on the ISP, too. That's probably why they don't exist anymore. In any fairy constructed IT shop of sys-admins, regardless of how the rest of his co-workers felt about the situation of all of it, his access to everything would have been gone the second he was being walked out the door by security, HR, ect.

    • Re: (Score:3, Interesting)

      by SumDog ( 466607 )

      They left an account open for him after he left. He should have just taken a copy before he left, or not even bothered with cleaning up the logs (they obviously would have taken the time to notice).

      I don't think the punishment fits the crime here through. A few years in jail for being an idiot. It also kills any chance of employment later with that criminal record. It sounds like a shitty ISP anyway.

      The reality is, code is the collective memory of a programmer. Most software devs always keep copies of their

      • Re: (Score:3, Interesting)

        by thegarbz ( 1787294 )

        He should have just taken a copy before he left

        He didn't take a copy. He took them. No copy.

        I don't think the punishment fits the crime here through. A few years in jail for being an idiot.

        For being an idiot? How about for maliciously damaging a business both in terms of physical infrastructure and in reputation? How about the knock on effects on the 500 businesses? If you got fired from McDonalds and to get back at them you decided to burn your former store to the ground do you think it should just be met with a slap on the wrist?

        It also kills any chance of employment later with that criminal record.

        He didn't need a record for that. Just the warning sign "I attempted to destroy my former employer because they fired m

        • It sounds like a shitty ISP anyway.

          Based on what? Based on an employee leaving? Or based on taking legal action against someone who (may have actually) destroyed your business?

          No backups. No control version system. No removal of old credentials when employee is let go. That and the fact that the business is now bankrupt.

          • by cdrudge ( 68377 )

            That and the fact that the business is now bankrupt.

            No they didn't. They just shut down the dialup and email service [netrepid.com]. It's hard to imagine that in the age of broadband and fast cellular data connections covering most of the country that dial up service would be popular and/or profitable. Same would go for email hosting.

          • No backups.

            We don't know that. What we do know is they were down a malicious system admin.

            No control version system.

            We don't know that. What we do know is they were down a malicious system admin.

            No removal of old credentials when employee is let go.

            This we do know. And if you set your standards by this fact than you're quite the fussy man.

            That and the fact that the business is now bankrupt.

            We don't know that. What we do know is that they went out of business. Maybe they sold up. Maybe they were sued into oblivion. Maybe maybe maybe.

            What we do know is that it was a smaller outfit. What we do know is that the admin likely didn't have to deal with ra

        • Based on what? Based on an employee leaving? Or based on taking legal action against someone who (may have actually) destroyed your business?

          Because deleting a couple of log files shut them down, and they'd fired their sysadmin while apparently not having anyone with the capacity to diagnose and fix such a problem.

          • Because deleting a couple of log files shut them down,

            WTF is it "Base all my knowledge on unknown assumptions that fit my narrative day?

            and they'd fired their sysadmin while apparently not having anyone with the capacity to diagnose and fix such a problem.

            You Fortune500 employees really have lost your sense of reality haven't you. But whatever stick with your baseless narrative that includes a small company having a sudden spat with an employee magically having the resources to replace and completely fully train replacement system admins before the old one leaves, let alone have the skills to instantly solve an issue caused by a malicious attack that also attempted to cover its

      • by don.g ( 6394 )

        The reality is, code is the collective memory of a programmer. Most software devs always keep copies of their work, usually not to resell or reuse (you can't and shouldn't, unless you're an idiot and want to end up like this guy), but more as a reference (How did I do that? I had an example somewhere).

        Really?

        I don't have a copy of the software I worked on at my last two employers and would consider taking a copy before I left a gross breach of trust.

        I have a copy of work I've done while self-employed, as I

        • by Anonymous Coward
          I always take a copy of the code I've written. Posting anonymously for obvious reasons.
          The code will be interesting to me for much longer than it will be interesting for the company, and probably for long after the company exists.
        • by AmiMoJo ( 196126 )

          I find that often a problem can re-use some open source or personal code I have already written. In that case I keep any non-proprietary changes/improvements, with my employer's permission. They understand that it's better for them that way, as they get a tested and mature bit of code in less time than it would take me to write it from scratch again.

          Most embedded developers I know have personal code libraries like that, and most don't even rise the issue with their employer.

    • As making a living out of being all things 'admin' (sys/network/engineering, ect.), he totally deserves this. This guy is total amateur-hour and quite simply deserves what he got.

      It's a non-violent crime. He wasn't even trying to hurt anyone, that was an accident. Prison doesn't seem excessive to you? He should be forced to pay damages and be done with it.

      • by amiga3D ( 567632 )

        He could have gotten up to 30 years and 250,000 dollars in fines. Fooling with computer systems ranks up there with murder.

    • by sjames ( 1099 )

      When I do contract work, I always request that any credentials I might have had be revoked, both to encourage good practice and to make sure I don't get blamed for whatever might happen after I leave.

      Sometimes they do and sometimes (after entering anopther contract with them) I find my old creds still valid.

      • sometimes (after entering anopther contract with them) I find my old creds still valid.

        Do you write a penalty (e.g. extra payment) into the contract for when that happens?

    • There are people who do violent crimes or crimes that physically hurt people and get less than 2 years of prison.

      From the sounds of this story it *was* amateur hour, and he went to far and made a mistake. Like you I keep copies of my scripts etc, but I have no illusions about ownership, and franking they are welcome to them if the next guy can even figure it out. However I'd take my stuff to help me on my next gig, though I not go as so far as to try and delete them from company systems. That said the mista

  • For anyone still wondering why the snooper charter is a very very bad idea... and this is only a single problem out of a huge list.
    Here's what to expect:

    https://www.wired.com/2013/09/... [wired.com]
    http://animalnewyork.com/2014/... [animalnewyork.com]
    http://www.kiro7.com/news/inve... [kiro7.com]
    http://www.nbcnewyork.com/news... [nbcnewyork.com]
    http://wncn.com/2016/02/10/nc-... [wncn.com]
    https://psmag.com/when-your-st... [psmag.com]

    https://www.techdirt.com/artic... [techdirt.com]

    Most of these are coming directly from security agencies and the police itself, but what do people think will happen once ISPs a

  • It sounds like most of the punishment was based on the (accidental) disruption to the ISP, rather than the actual hacking and theft of code.

    This is a bit like sending someone to prison for arson, because they knocked over a gas space heater while robbing a store.

  • On one hand, I cheer Prugar because I have been fired from jobs and I was told that I am "not a team player." Never mind that I had one of the highest issue solve rights and work completion rates of my team and department. Yes, I am socially awkward and have a disability but, when the day is said and done, isn't a job about productivity? Firing someone because you feel threatened by them is evil. On the other hand, I think that two wrongs don't make a right. I believe he would've been better off asking for
    • by Shimbo ( 100005 )

      The company did nothing wrong - Prugar is an asshole who deserved what he got. If you think that he suddenly developed an attitude problem and a complete lack of professional integrity after he got fired without cause, then Occam's razor says you're wrong.

      And, no a job isn't purely about personal productivity. As a sysadmin you need to document the fuck out of things, and nurture your team so they can handle things without you being around 24/7, because shit happens. If you have a sysadmin that doesn't do t

      • Identifying with a jerk who put his company out of business because he couldn't walk away, not so much

        According to this [netrepid.com], PA Online were a dial-up ISP that went out of business in 2015 (after being acquired in 2013, so really it's more like the dial-up branch of the combined company got shut down). Given that this story is about events from 2010, I think it's more likely that they got shut down because they were a dial-up ISP in 2015 rather than because of anything this guy did 5 years previous.

        I admit the summary does try quite hard to give you the wrong impression, but blaming it on this guy definitely is

  • for anyone in a similar position.

    Make sure you build in _delayed_ time bombs, and _wait_ a while before wrecking your former employer. And if they ever ask you to help, tell them to shove it.

  • 'Prugar worked as a systems administrator for Pa Online until June 2010, when after a series of "personal issues" with his employer, he was let go.'

    What was the nature of these "personal issues" Prugar had with Pa Online?
    • If I had to guess it was about what IP rights he retained to his scripts/software work given what transpired. The ISP disagreed with his opinion and fired him. He said fine, and took all his work back, inadvertently taking the ISP offline when he messed up deleting user logs after the fact. Then in a fit of hubris when the company came to him he decided to rub their noses in it. To which the company came to the conclusion that perhaps it wasn't a coincidence. FBI etc...

      But who knows really, could be he was

  • OK, the ISP in question should have known that this guy was a sysadmin and revoked all of his credentials as soon as he was terminated. But, even if I have a key to my old house, I can't just walk in, turn on the TV and make myself a sandwich when someone else owns it (or is renting it from me.) That part of the story is why the jail time is warranted. Sysadmins should be professionals...yes, I know very few businesses treat them as such, but acting professionally is the first step to being recognized as on

Is a computer language with goto's totally Wirth-less?

Working...