‘logic bomb’ fine of up to $250,000, up to 10 years in prison

geniusintraining

Lifetime Supporting Member + Moderator
Join Date
Jun 2005
Location
SC
Posts
8,242
I know we have discussed these in the past but I found this and its a warning to some, this is in a spreadsheet but I think they could find the same with a PLC program


Siemens Contract Employee Intentionally Damaged Computers by Planting Logic Bombs into Programs He Designed
PITTSBURGH, PA – A resident of Harrison City, Pennsylvania, pleaded guilty in federal court to charge of intentional damage to a protected computer, United States Attorney Scott W. Brady announced today.

David Tinley, 62, pleaded guilty to one count beforeSenior or Chief United States District Judge Peter J. Phipps.

In connection with the guilty plea, the court was advised that from in and around 2014 and continuing until on or about May 13, 2016, Tinley, a contract employee for Siemens Corporation at the Monroeville, PA location, intentionally inserted logic bombs into computer programs that he designed for Siemens Corporation. The logic bombs ensured that the programs would malfunction after the expiration of a certain date. As a result, Siemens was unaware of the cause of the malfunction and required Tinley to fix these malfunctions.

Judge Phipps scheduled sentencing for Nov. 8, 2019 at 10:30 a.m. The law provides for a maximum total sentence of 10 years in prison, a fine of $250,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed is based upon the seriousness of the offense(s) and the prior criminal history, if any, of the defendant.

Assistant United States Attorney Shardul S. Desai is prosecuting this case on behalf of the government.

The Federal Bureau of Investigation conducted the investigation leading to the prosecution of Tinley.

https://www.justice.gov/usao-wdpa/p...maged-computers-planting-logic-bombs-programs
 
So, not something Ive ever done but Ive certainly heard of people doing.

Does the situation change if you're a company that sells X machine to A customer and to ensure you get paid you insert a logic bomb like that? What if in the contract for X machine you stated that if past due balances were to elapse past a certain date machine may not function normally?
 
Does the situation change if you're a company that sells X machine to A customer and to ensure you get paid you insert a logic bomb like that? What if in the contract for X machine you stated that if past due balances were to elapse past a certain date machine may not function normally?

Thats been the argument in the past... and we all agree we should get paid for our work but holding a machine hostage will not hold up in court, I dont know the answer.

Collection of funds has always been a pain for me, if we provide a service or product we should be paid in a reasonable amount of time, when I first started I took a PO for about 12k, it took me over a year to get it and I spent a couple hours a week trying to get it also spent many sleepless nights because of it, if I could of sent them a 'time bomb' I would of.
 
Has anyone tried some exorbitant late fee, like 10% of balance due per month, compounding?
 
If you write clearly in the contract that the machine requires an update for it to run past a certain date, and that the update is included in the contract, then I cannot see how you can become liable.
If the payment doesnt come through, then you are not obliged to fulfill the contract; that is: to supply the program update, and the machine will come to a stop after the date.

Apart from that, for bigger contracts you should demand an LC.
 
this is in a spreadsheet but I think they could find the same with a PLC program

The reason this got prosecuted is that it was an ongoing fraud; Tinsley was getting emergency breakdown repair fees from Siemens whenever one of his logic bombs went off. It was prosecuted at the Federal level because it was done over the Internet; virtually any PC can be considered a "protected computer" under the Computer Fraud and Abuse Act if it connects to the Internet.

There isn't a lot of public reporting that is not based on the DOJ press release about the guilty plea. One article I read says that Tinley created "custom automated spreadsheets for the power generation industry", and that he had been originally contracted by Siemens in 2002. By the time he was caught in 2016, this scheme had been paying off for a while.

A PLC would very probably be considered a protected computer under the CFAA; smartphones have been adjudicated to be protected under that law. If you implemented a fraud that used an Internet connection in such a system, then you could find yourself on the business end of a Federal prosecution too.

None of the files related to that case are on the CourtListener archive so they are still behind the Federal court records paywall. When I get around to it I'll download some of the case files via PACER.
 
That's been the argument in the past... and we all agree we should get paid for our work but holding a machine hostage will not hold up in court -- I don't know the answer.

Collection of funds has always been a pain for me; if we provide a service or product we should be paid in a reasonable amount of time. When I first started I took a PO for about 12k; it took me over a year to get it and I spent a couple hours a week trying to get it - also spent many sleepless nights because of it. If I could have sent them a 'time bomb' I would have.

I was asked to program a medical exercise table a few decades ago, wherein the manufacturer of said table specifically requested this feature. His business plan was to rent out these tables for a monthly fee; if the fee was not paid, we would not have sent a token to the machine to allow use the next month.

He desired that no-one but me should be able to 'hack' it; I replied that there is always someone able to hack in if they have the right tools.

As mentioned above: if there is a contract stipulating that periodic updates shall be required to make the machine function, and/or a contract states that the machine is on trial until the final payment, I cannot see how such code could be construed as a "time bomb".
 
I had one client who leased their machines based on runtime. If the lease payments stopped, the machine gave a couple of reminders and then failed to start.

I got just one call over the years from a customer demanding that I help them work around it; I politely refused.

There's a bright line between disputes over contracts and crimes of sabotage.
 
I had one client who leased their machines based on runtime. If the lease payments stopped, the machine gave a couple of reminders and then failed to start.

I got just one call over the years from a customer demanding that I help them work around it; I politely refused.

There's a bright line between disputes over contracts and crimes of sabotage.

[RANTMODE]
Awww heck, sell machine programs the same way PC OS/SW is sold: A license to use the software (in compliance with the ToS) then sue them if they violate the ToS and continue using the machines.
[/RANTMODE]
 
The reason this got prosecuted is that it was an ongoing fraud


This is the big thing that separates it from the typical scenario under discussion on this site.


Not only was it not in the contract, it was done with the express intention of creating ongoing future business for himself.


The article I read said that they only found out what was going on when one of his logic bombs happened while he was on vacation, so they had someone else come look at the system. If he had kept better track of him pre-planned "emergency" fixes, he'd still be doing it.
 
sue them if they violate the ToS and continue using the machines

Litigation costs money, and that customer leased a lot of their machines in places with abundant crops but inadequate courts.
 
I am not involved in the collecting of payments but We have issues sometimes getting that last 10% after commissioning. What happens is we fulfill the contracted build, the manufacturing engineer signs off on it after runoff on our floor, but then...hands it off to the IT/automation controller for final signoff after we install it on their floor, he/they were not involved in the purchase or previous buyoff, but that company does not approve final payment until that group is happy, even though we have completed our piece. Back and forth, back and forth, needing multiple trips to satisfy them. It comes down to spending $20K to get that final $40K.
There has to be a way of stopping this, maybe contracts need to be tightened up, i really dont know.

So i am told to add features to stop this. Although i have not done it, i am in a position to block everything, stop an upload, download, viewing, deleting, they cannot access it if they wanted to. Now if i did this without it stated in the contract as an "update" as others have stated am i at risk personally?
 
Last edited:

Similar Topics

My PLC is currently running the program and the process is still live. One of my 1769-if16C cards values are all frozen but the card is not...
Replies
1
Views
84
need to find C bits in the logic. They are hidden someplace! Thank you! Bob
Replies
5
Views
157
Good day everyone. if you have a logic for 3 pumps (lead/lag/off), would you please email it to me? I really appreciate it!
Replies
7
Views
157
Good morning crew! Ok my logic works but I am missing something. When the start button is pushed it should like the red light for 4sec then shut...
Replies
13
Views
342
Does anyone know of a way to detect if someone is online with the controller in ControlLogix (from logic) I'm thinking that maybe there is a CIP...
Replies
7
Views
291
Back
Top Bottom