Insider Logic Bombs

Add to the "not very smart criminals" file:

According to court documents, Tinley provided software services for Siemens' Monroeville, PA offices for nearly ten years. Among the work he was asked to perform was the creation of spreadsheets that the company was using to manage equipment orders.

The spreadsheets included custom scripts that would update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management.

But while Tinley's files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called "logic bombs" that would trigger after a certain date, and crash the files.

Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee.

Posted on July 26, 2019 at 6:05 AM • 36 Comments

Comments

Petre Peter July 26, 2019 7:44 AM

Dumb criminals can be funny. I wonder if he'll still be allowed to use a computer. I also wonder if the IT guys who discovered the logic bomb will be promoted.

TGIFJuly 26, 2019 8:47 AM

Investors in Siemens stock should beware their poor inventory control and replenishment "system."

Paul GregoireJuly 26, 2019 9:15 AM

While totally not for this type of "feature"; one should consider that if an individual developer implements it, they pay a fine and / or go to jail. When a large corporation like Apple, regularly gets caught doing it, nothing happens and the sheep buy the latest product. In both cases its most likely a "Logic Bomb" of sorts, but the implementer matters, so let's switch it to "Planned obsolescence".

wumpusJuly 26, 2019 9:20 AM

@Paul Gregoire

I think there was a push in the 1990s (possibly early 2000s) in the USA to make contract law the same in all the states, there was language that more or less made this type of thing legal. I'd expect that it was eventually changed so that a corporation buying from a contractor was safe, but a corporation could plant any logic bomb they wanted in a consumer's computer.

TatütataJuly 26, 2019 9:28 AM

The 4-page indictment doesn't make it sound like this was the crime of the century, although the bloke was at it for one seventh of a century. The prosecutor only seems to ask for the surrender of a couple of laptop computers. (Although I suspect that the statute might allow to strip the guy down to his last pair of socks, as just about any possession could be construed as being "used" for the commission of a crime).

I bet that the handywork would come in dead last at the Obfuscated Excel Macro Contest...

BTW, what's the point of document upload sites such as Scribd that ask you to register to download documents? Isn't there enough free hosting around?

JonKnowsNothingJuly 26, 2019 10:05 AM

I think this is not so uncommon.

I saw this type of ransom-lockout in action many years ago. It was very complex involving dates times flag files and a whole lot of obfuscation to make things appear as normal programming. Things like normal date manipulation. The penalty was a random rewrite to the database. Whatever was there got overwritten even if you pulled up the data in "non edit mode" and the random part could hit any file in the system, not just the one you were looking at.

The trigger was avoided for many years (maybe decades) by either having a current access to the system for installing upgrades or new features to the software or just making up a pretext to come in and give things a check over (being a "nice guy"). It was discovered when the trigger went off because the reset didn't happen.

This individual went on to work at a major software company (think BIG 20 years back) working on their OS and other sensitive systems.

It was appalling but the claim was about who owned the copyright on the software and if you didn't pay the required maintenance fees the system would tank. Wrecking the database seemed to put an extra spin on PAY ME MY MONEY.

Of course the target didn't know they had to pay a fee, they thought they owned the software because they paid for a bespoke system.

Now you don't own anything no matter how much money you invest. It can be shanked accidentally, deliberately, subversively and you have no recourse.


BearJuly 26, 2019 11:01 AM

Definitely not an original idea with this particular crook. This kind of "job security" bomb was actually somewhat common in the middle to late 1990s. I've personally ripped at least a half dozen of these out of the beating hearts of running systems.

I've seen them in spreadsheet macros and cell calculations, in database precompiled queries, in word macros, in DLLs, and in raw C++ code.

The absolute worst of them are the ones that fail invisibly - like a call to get a random number that only returns a full-range random number before a certain date, and a random drawn from a much smaller range after that date. These set up a marketable zero-day vulnerability against a specific system.

GokuJuly 26, 2019 11:45 AM

What amazes me the most is that the logic bombs author lacked fantasy so much a court was able to rule out plain-old bad / sloppy programming.

ThunderbirdJuly 26, 2019 11:55 AM

Has anyone seen anything discussing the form of these "logic bombs?" I am a bit puzzled that someone clever enough to put them in wasn't clever enough to make them look like a simple mistake. I haven't used a spreadsheet in twenty-five years, but I seem to recall them being a minefield of twisty little inexplicable functions all alike, such that it would be hard to argue something was deliberate unless there was a cell called "IFLOGICBOMB" or something.

DavisJuly 26, 2019 1:15 PM

I have home appliances with a similar trait that renders them unusable after N years. Not sure if the district attorney will file charges against the manufacturers anytime soon.

SteveJuly 26, 2019 3:23 PM

Of course, the smart criminals don't get caught.

Or they are bank executives.

JonJuly 26, 2019 3:43 PM

One wonders if the Airbus '149 hours' problem is a deliberately planted time-bomb, or just lousy coding - or lousy coding of what was supposed to be a time-bomb... And how do courts tell the difference?

Incidentally, as per Steve Golson @ comp.risks*, a 32-bit UNSIGNED counter, ticking along at 8kHz, will overflow at 149 hours and 7 minutes, -ish.

Since we're on the 'signed/unsigned' counter kick, may I personally strangle (in 2038) whichever Unix guru decided that 'seconds from the epoch' should be a SIGNED integer!?

Jon

* https://catless.ncl.ac.uk/Risks/31/34#subj4

George William HerbertJuly 26, 2019 4:06 PM

Jon - Ken will be 95 when timeTpocaplypse arrives, if he lives that long. I personally hope he does, and that Elon takes him along to Mars, so he can look back through a telescope and laugh as the lights all go out.

POLARJuly 26, 2019 4:51 PM

Very entertaining. This made me think about what happened a few years ago, aka how real pros do it.

We were some full immersion training on various languages for S programmers. S basically programs bug huge backends and db for AAA companies.

After the basics of say, Java, we went on with code samples, real world examples and best practices: do this, catch the exceptions, input parsing is better done this way...then we were interrupted "Nice, but we don't need this. If our backends or db always work we'd lose a ton of maintenance job and calls for whatever reason or upgrade"

The stroke of genius here is "not too clever coding" and its semplicity flies over logic bombs:
-cheaper
-faster
-invisible
-guaranteed results
-more random
-you can't be charged with anything(aka plausible deniability)

Yep, "good enough" code is more malevolent than logic bombs.

Impossibly StupidJuly 26, 2019 6:01 PM

The part that makes Siemens look real bad is: "The scheme lasted for two years . . . fell apart when Tinley was out of town, and had to hand over an administrative password for the spreadsheets to Siemens' IT staff." No competent operation would run critical infrastructure on a system they don't control, develop software without using a version control system, or put code into production without even basic audits of the changes. Whoever put those policies in place needs to get the boot, too, along with all the people involved in hiring them.

@Jon

Since we're on the 'signed/unsigned' counter kick, may I personally strangle (in 2038) whichever Unix guru decided that 'seconds from the epoch' should be a SIGNED integer!?

Why? Dates prior to 1970 needed to be represented, too. And it's hardly going to be as big a problem in 19 years as Y2K was 19 years ago. Most systems already have 64-bit time values in place so, signed or not, I don't see a reason to strangle anyone before the next fractal Big Bang.

Clive RobinsonJuly 26, 2019 6:52 PM

@ All,

Beware of errors...

One article says he is 62, another says he is 52.

JonKnowsNothingJuly 26, 2019 7:58 PM

There is another type of implementation that might not qualify as a Logic Bomb but runs on a similar premise. These are designed systems that are specifically set to make sorting out the Who What Where When and How nearly impossible. The "bomb effect" is set to prevent anyone from being able to trace back exactly how they got from A to B.

The first time I saw one of these was in a payroll department for, what was then, a Giant Corporation. The person in charge of programming, managing and running the Bonus Pay Calculation System was moving on and no one else wanted to get a core-dump so I pulled the short straw and got the dump.

One might think, that calculating a sales bonus payout would be pretty straight forward (make ++ sales get + $) but in this case nearly everything was done to smooth the deviation line to zero. And if for some reason a high-flyer sales person got ++++ sales there was an override that could squash any outliers as well as depressing the entire system to --.

It was disgusting. It was capitalism at it's worst. While touting the sales, market share and revenue on Wall Street and pumping up their stock price, the company in the background stripping revenue earned from the people who put the value in the stock.

The system was designed and intended to hide every calculation going into the bonus program. There was no way anyone could determine by looking at their bonus check if it was a correct valuation.

This system was not used to calculate the bonus of any executives, they got what ever amount was decreed.

This sort of backhanded calculation was recently outted when a delivery company was found to short change their drivers by deducting their TIPS from their base delivery earnings. They were not as clever about hiding it.

wumpusJuly 27, 2019 8:52 AM

@JonKnowsNothing

I definitely should have included "owning the copyright" in my post about such things being legal (or seriously proposed laws making them such, I don't know if they were in what became law). Random employees/contractors [work for hire] are unlikely to ever be allowed to deliberately include logic bombs.
-wumpus

JonKnowsNothingJuly 27, 2019 10:11 AM

re: Random employees/contractors [work for hire] are unlikely to ever be allowed to deliberately include logic bombs.

In theory this would be true but in the USA employment laws are not always easy to interpret. The scope and value of the work is another factor. If the person is coming through a "contractor factory" or "big name corporation" also gets into the mix.

I don't ever recall seeing "Insert Logic Bomb Here" in any design but you can be sure there are plenty of them although perhaps the rapid obsolescence of software systems means most of them never go off.

I have seen corporations trying to claim copyright on ALL work done by a contractor without limitation, so a corporation might come back years later and claim some other software was included their copyright. This was a boilerplate paragraph in many contracts.

Much software has a "license duration" after which the logic bomb goes off and you can no longer use it. Some of this is listed in TOS/EULA of nearly every program that has a TOS/EULA agreement.

Then there are the "logic bombs" inserted into places you never even considered. HP used to (maybe still does) write a "tattoo" on hard drives in their systems. Should you try to install a different drive the system will fail spectacularly. The "tattoo" could only be put on by a HP Field Tech and of course, you had to use an HP HD to get it.

In the USA each state also has some say in who is and isn't an employee. Currently the odds are running against folks being considered employees. A common practice is for ACompany to hire BContractFirm to furnish all workers. The workers may consider themselves employees of ACompany but are never actually employees of it. This allows ACompany to jettison the entire crew without penalty because they are employees of BContractFirm. No matter how long or short their presence is at ACompany, they get nothing when the plug is pulled. That piece of abracadabra can be done without anyone noticing, it's just a small change in protocol done below the water line.

Other sorts of "logic bombs" are included in a great many startup stock plans and grants. Wading through the reams of printed contract clauses and a pencil and paper and some thought provoking phrases along with some RL experience will show that much of the "promised compensation" given in exchange for your labor and assigning your copyrights to the company will amount to "$zero.zero".

Really the only Logic Bombs that are of issue are the ones that are not in your favor. And we all know what "May the odds be ever in your favor" means.

VinnyGJuly 27, 2019 2:33 PM

Several decades ago, I held a systems analyst position with a privately-held company that was nominally a designer and producer of switching products, but that was really in the business of fleecing venture capitalists. One of the engineers had cobbled together a production control system using dbaseII over PC (baseband) Network. It was not very well-designed, but it did allow the execs to show the investors data that was spun to conform with their "version" of reality, so the designer accumulated a lot of clout. However, as he was a narcissist and a true cretin, he abused his employment privileges to the point that management gave him a pretty generous parachute, along with the ax he so richly deserved. He evidently was a pioneer of the kind of logic used for warrant canaries, because, in spite of the many precautions taken by the execs on terminations (as soon as I gave notice, I had a security guard escort me everywhere I went, including the bathroom) pretty soon his system began misbehaving, randomly throwing banners across the displays with text such as "I miss Robert Smurf," "Please bring back Bob Smurf," etc. A few days later, some requests for projections began to be answered with "I need help from Bob Smurf to perform that operation." Ultimately, he was rehired, and given a bonus. I guess he knew too many details about the deceptions on investors for the execs to go to the mat with him. He was clever, if not smart, and it worked for him that time, but it isn't a plan I'd try to replicate.

Clive RobinsonJuly 27, 2019 7:20 PM

@ All,

Have people ever asked themselves the question "Why do people write logic bombs?", then ask themselves "What would make me do it?".

The answer to the first question is often based around "Managment have/are automated/ing my job away".

The simple fact is whilst the population is still rising --just-- in most parts of the Western World the number, quality and renumeration of jobs is falling except in certain areas.

We regularly hear stories in the opinion slots on news channels about the "Robots are coming to take our jobs" or "Imagrants are taking our jobs" etc etc.

In times past those of a more timid nature used to go into "Government Service" to get job security and a reasonable standard of living in old age. Now those jobs are being axed on political mantra etc.

There is also "ageism" which is used to terminate employment of people as early as their mid thirties, yet in many places the life expectancy is rising.

People are being told that if they want a reasonable job they need a degree so have to stay in education untill they are in their mid twenties.

They are also told that if they want a reasonable standard of living in retirment they will have to put away upto 40% of their income from when they leave University till they retire in their 70's...

And the people telling them this are the ones who get richer and richer...

So back to that second question...

Clive RobinsonJuly 27, 2019 10:34 PM

@ VinnyG,

Your story reminded me of something from my past, so a funny almost sad story for you,

I got accused of writing a logic bomb, and it was most definitely not my fault...

As you mentioned "several decades ago" you no doubt remember the dread of the Y2K event and how news programes talked as thought it would bring the heavens down on earth as Gabriel's Horn got blown etc etc, it would have been "existential" if the word had been in use.

Importantly though do you remember how OS Vendors were running around claiming their OS's were "Y2K Compliant" and even taking out whole page adds in the financial and business newspapers to proclaim it. Well as they say "There's truths, half truths and marketing speak".

In the late 1990's I had taken a contract gig as a SysAdmin at a smallish company. I had taken the contract as a fill in as the money back then was going crazy, as was the workload in ICT and a suitable engineering design contract gig was not available.

Thus as many SysAdmins did back then I had written a number of tools whilst working at the company to make my life easier by automating a few routine things and take away some of the "daily drudge".

As shell script "prototypes" used for rapid development thay called Unix utilities like "make" which whilst a quick and dirty way to test ideas is not good for a number of reasons. Thus I then rewrote the core functions in C.

The bulk of the code was provably my own as I'd written it using a "library of functions" I'd developed over some years prior to working at the company for managing my own systems, the code even had a copyright notice with date info etc which was printed out in the versioning information.

Also as the company did not do "development" I had to install the entire compiler tool chain outside of work hours etc. I did this rewrite firstly to stop (ab)using the Unix utilities, secondly to make the scripts run a bit faster and importantly back then generate less processes. Thus it made my life a little bit easier. As the scripts and program were just for me to use the scripts like the C code gluing the library functions together were rough and ready and I did not realy document them or keep the source code around. Any way I left at the end of my contract and the company cleared out my work areas etc.

And that should have been the end of it, however a couple of years went by in which Y2K came and was long past. Then I got a phone call...

Compleately unbeknown to me, another SysAdmin who had access to the area the shell scripts and executable had been in, had filched the executable and was using it in their own scripts on other systems. If they had asked at the time I'd have given them the original prototype source for the shell scripts so they could customize to their own requirments.

Basically in the phone call I was told to hand over all the source code or be prosecuted. I pointed out that I did not have the source code and as I had not worked for the company for a considerable time I would have no idea what they had done with it, nor did I know they were using the code which was not theirs to use.

Any way the company now being considerably larger got the arse and sent a solicitors/lawyers letter. I sent them a letter back telling them to point out where in my original contract it was stipulated that I should do software development, keep copies of the source code indefinately, and maintain it without renumeration indefinately. And if the could not --as I knew they could not-- to immediately cease and desist.

Well to cut a long story short they then got very arsey and brought in an expensive consultant to reverse engineer the code... And their finance people sent me the bill with a thirty days to pay notice. A friend who had legal connections hit them with a counter claim and gave them 14days notice before action.

Thus the company had to hand over their supposed "evidence". I don't know where they got the consultant from but he was not competent and vastly over priced and his report to managment made no sense. They got told this and they went balistic and to try and stop the court case against them got the authorities involved and told them a pack of lies. Well it all got a bit nasty for a while, especially when my legal representative had to explain that contract law had certain niceties that were not blackmail to a police officer.

What became clear was that the other SysAdmin that had used my executable and scripts without permission, had gone on to build further complicated shell scripts around them. Which they then very inadvisably built a business system on, that the company had become way to overly reliant on...

Compleate and utter madness and suprise suprise the other SysAdmin had likewise ceased to work there but as they were not working in the country any more they were effectively beyond reach... So the company leagal people went after "the next man standing" which was me.

The upshot was it was actually the OS suppliers fault combined with new inexperienced SysAdmins... They OS vendor had a time routien that they claimed was Y2K compliant back when I wrote the executable. Well that was only partially true... It turned out that if you changed the localtime in a certain way then the TZ variable was not correctly used and what you got back from the OS time routien was not Y2K compliant...

The company because it had grown now had a new fresh faced SysAdmin "team" and they had "done an OS upgrade" ireversably without first fully prototyping it...

The upgrade activated the issue in the OS time routiens and it was that which had broken, my C program from a couple of OS revisions before... The solution would have been a simple change to an environmental variable...

Any way for all the company assyness the got a large legal bill from my friend and had to stop using my executable and sign a gaging order. Funnily like the OS vendor they don't exist as such any more.

I learned a lesson, which I've since implemented. If as a SysAdmin you write code, lock it to the OS and version you've tested it on. That way an OS upgrade won't mysteriously break any code you've writen, your code will just stop with a clear error message that the OS version is not supported...

But the entire incident woke me up to a trend that has been getting worse, basically of small companies doing things the wrong way, then when growing breaks things rather than swallow the medicine, they try to get previous workers contract or permie to fix their problems free gratis at the point of a writ...

JeffJuly 28, 2019 11:28 PM

@Clive Robinson wrote, " I sent them a letter back telling them to point out where in my original contract it was stipulated that I should do software development, keep copies of the source code indefinately, and maintain it without renumeration indefinately. And if the could not --as I knew they could not-- to immediately cease and desist."

Interesting story, but this reeks of a legacy system. Apparently most business developers these days are well-versed in 4G languages and will not understand C if their lives depended on it even if it were just a few println subroutines.

Had you not put your names in the code you probabaly would not have had any issues from them? I personaly would not put my name on any code I wrote.

JuhaniJuly 29, 2019 1:32 AM

If the consultant would have made a lookup table and then just filled it, then that is business as usual. He showed that he was breaking the system intentionally and that was a mistake.

HP has been doing logic bombs with printer ink and to my knowledge they even claim that their chip must not be emulated. Plausible deniability, half the ink is in the bottle, but not up to HP quality standards ...

Clive Robinson-s story is an interesting example, he did create a time bomb. Works for me is not the level of engineering needed when working for a company, it must work for us/company/next man and that engineering is a lot more difficult, usually use boring standard tools, keep things simple for others, allow problems to just go away. Now he creates hard version checks to custom solutions / hacks and the next monkey must redo his heroic accomplishments at upgrade time, the solutions are only a temporary patch. But that is not criminal, business as usual.

Doug K July 29, 2019 10:03 AM

as Polar says, the usual way to do it doesn't involve logic bombs. Instead just write barely functional code with terrible documentation. This is easier than writing good code, and doesn't leave any traces of maleficence. But it has the same effect as logic bombs - the consultants will feed heartily upon it for decades.
I've been watching this happen since the early 80s when I started working in IT.
Outsourcing hasn't improved this, oddly enough.

As for Siemens running its production systems on poorly scripted macros belonging to an outside consultant, that's hardly unusual. Sadly.

JPCJuly 29, 2019 3:57 PM

I take two security lessons away:

1) Plant-logic-bomb-and-they'll-pay-me-to-fix-it is a terrible business model. Why? Because it fails badly; and

2) Good security is like 75% fundamentals. Catching this wouldn't have required huge, extensive, expensive security measures.

Clive RobinsonJuly 30, 2019 6:26 AM

@ DougK,

Outsourcing hasn't improved this, oddly enough.

It's what you would expect realy.

It's kind of basic economics of supply and demand. The sole purpose of "outsourcing" despite the rhetoric is short term cost reduction to increase quartly figures and the like.

So it's a lowest bidder wins market made worse by the demand for as near instant gratification as possible. Which adds to the problem, so the reality is a market that at the bottom you can charge a slightly higher --bit still below sensible-- price for doing it in minimum time.

So you get "stock code with glue" where the stock code is not written by the person writing the glue, it is simply coppied mostly "sight unseen" from somewhere. Because of the haste there is little or no testing or even code review before such a mess goes live.

I have often wondered about the potential for a "malicious actor" setting up "code examples" with subtle flaws in them to supply a steady stream of subtle "bugs" that are realy "vulnerabilites" whem two or more are used.

That is each vulnerability by it's self on analaysis looks like a bug that on it's own would be insufficient to give an exploit, thus has "Reasonable Deniability".

There are plenty of "Reasonably Deniable bugs" you can hide in "example code"... Which because it's example code, "for clarity" does not check the inputs or returns, errors or exceptions", thus "for clarity" is your "Reasonable Deniability". However with two such bugs one or more of several vulnerabilities, can open up giving a range of potential exploits you can easily find because you designed them. So if one bug gets fixed by the glue writter the chances are there are still a couple of other vulnerabilities.

Thus if the glue writter incorporates say five of the grafted bugs, then are going to be ten or more actual vulnerabilities that can be excercised, and potentially more if there are other actual unintentional bugs the glue writer adds...

Just one of those idle thoughts I have from time to time, about how I would go about exploiting failures in "tail spin markets" which "software outsourcing" especially any involving crypto is... I'd give it maybe five years minimum befor people will actually become sloppy enough that it becomes all to obvious, but that won't stop a "tail spin market" that needs a fundemental change in senior managment thinking, which as it effects their bonuses and future employability is very unlikely to change.

There are three basic ways a tail spin market ends,

1, By enforcable regulation.
2, By it's irretrievable collapse.
3, Keeping it on life support is more expensive than other paradigms.

JonKnowsNothingJuly 30, 2019 6:24 PM

@Clive and All

iirc long ago I worked with some RTOS which required different stacks for the application. One stack in particular was noted as having a serious flaw in it, that had to be corrected for every update, or new company that purchased it. Given that in those days everyone just Rotated One Right into the next position, there was nearly always someone who knew where the flaw was and what was needed to fix it. It was a logic bomb not fixed by the vendor. In those days the stack cost upwards of $100k. That flaw might still be floating about.

I knew that most of my co-workers carried with them and used their own "tool kits". These were stubs (or more than stubs) of code collected from their Previous Rotate One Right positions. Most were utilities or string functions or memory RAM drives that they had built for their own work, given that almost no company provided anything other than an editor and a compiler. (oh for the days when Vi Wars were entertainment along with the "4 spaces or tab" clashes).

It was certainly the case that some programmers where far more clever than others and it was not uncommon to be tasked with changing previous DevDave's code, only to have to report that it might be a long long time and couldn't we just get DevDave back long enough to fix it?

I once had to delve deeply into some very arcane graphics code. It wasn't that I was clever, I just had heard DevDave talking about how the code was written. Many manuals later I was able to unravel what was happening. I'm sure DevDave's code manipulation is still out there somewhere except the manuals that you needed to figure it out are no longer available.

I wouldn't call it a deliberate logic bomb but in a way it's an In Your Face I'm Smarter Than You method of working.

It's a trade off and corporations pay for what they get or what they don't.

Bong-Smoking Primitive Monkey-Brained Spook July 30, 2019 10:48 PM

@JonKnowsNothing,

How true!

It's a trade off and corporations pay for what they get or what they don't.

It's a trade off and corporations pay for what they get or pay for what they don't get.

Slight variation on meaning, perhaps :)

TheWhatJuly 30, 2019 11:33 PM

Alternative headline: dump criminals have dumb scheme that actually works for years.

As an aside, is the Obfuscated Excell Competition? It'd almost be too easy though. I mean, who uses *spreadsheets* as business critical process control, and what kind of Karma do they expect?

Gerard van VoorenJuly 31, 2019 12:09 AM

@ TheWhat,

" ... I mean, who uses *spreadsheets* as business critical process control, and what kind of Karma do they expect?"

Who? Millions of users.
What kind of Karma? Well, it's mostly a "tool" to do whatever you want and with embedded code that floats around. I can't understand why engineers use this piece of manure. And if you want to fix this, look at this presentation.

Paul RainAugust 2, 2019 8:06 PM

> As an aside, is the Obfuscated Excell Competition? It'd almost be too easy though. I mean, who uses *spreadsheets* as business critical process control, and what kind of Karma do they expect?

Oh, only all small to medium sized businesses. Most larger organizations at some level.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.