A 40 year old chain programmer, who once proposed to the leader that the system security problem was ignored, was also adjusted, and angrily deleted his 9TB database. The story of "deleting database" is not only true, but also the final judgment of the court recently. In order to recover the data and system, the chain spent 180000 yuan. Recently, the Haidian District People's Court of Beijing made a final judgment:The defendant, who committed the crime of sabotaging the computer information system, was sentenced to seven years' imprisonment.
How did this "database deletion" event happen?
On November 4, 2020, the judgment disclosed the whole process of the incident for the first time.
That's how it started.
On February 1, 2018, the defendant Han joined Lianjia and was responsible for the database management of the financial system.
According to the regulations, Han's authority can only operate the company's database, but Han said that the company's management is very chaotic, and he was given the authority to log in to the management system after he joined the company.
With this permission, you can install and delete related applications on the system.
Han said,When I worked in Beijing Jiuxianqiao chain headquarters, I once sent an email to the leader, saying that such a system was unsafe.
Zhang, another database administrator, confirmed that,They have reported the security problems of the financial system to the leaders of the financial line and the information line, but they did not get attention, and even had disputes with the leaders of the information line.
In May 2018, Han's office location was changed from Jiuxianqiao in Beijing to the eighth floor of the digital media building on Shangdi Sixth Street.
The "deletion" incident happened on the Sixth Street of Shangdi.
On June 4, 2018, according to the company's surveillance video, Han went to work at about 11 o'clock and left the company at about 18 o'clock.
At 14:35 p.m. on that day, the staff of the technical support department found that the server application of the company's financial system failed and could not log in.
The technicians went to the computer room to check and found that the application program and 9TB data of the financial system server (EBS system) were maliciously deleted. All the financial data of the company since its establishment are stored here, which directly affects the salary payment of the company's personnel.
The company urgently seeks Hangzhou Xifei Information Technology Co., Ltd. and Xiaosi Technology (Beijing) Co., Ltd. to recover the data.
On June 6, 2018, the company temporarily withheld the computers of five employees who came into contact with the company's financial system,Han refused to provide the computer name and password.
Han said that when he went to work, he used his own laptop, so the name and password belong to personal privacy, and the public security organ can check the computer in its own way.
On June 12, 2018, data recovery cost chain home 180000 yuan.
Through log recovery and correlation analysis, it can be determined that the end user with IP of 10.33.35.160 can remotely log in to the server as root between 14:00 and 15:00 on June 4, 2018, delete the data files in the server by executing RM and shred commands, and erase all the operation logs of the current user.
On July 31, 2018, Han was arrested by the public security organ.
The survey found that exporting the event log of IP address 10.33.35.160 on June 4, 2018, found that the DHCP server assigned the client ID (device MAC address) ea-36-33-43-78-88 and the device host name Yggdrasil at 14:17 PM.
The △ WiFi spoof interface can be used to change the MAC address
92 records related to MAC address 28: CF: E9: 1C: 48:13 and 4 records related to MAC address EA: 36:33:43:78:88 were retrieved from the $inodetable file in the computer. The terminal records in the computer contain the commands of shred and RM, which are local execution commands.
On November 4, 2020, in accordance with the provisions of the first and second paragraphs of Article 286 of the criminal law of the people's Republic of China, the Haidian District People's Court of Beijing made the following judgment:
The defendant Han committed the crime of destroying the computer information system and was sentenced to seven years' imprisonment.
After the judgment, the defendant, Han Mou, was not satisfied and appealed to the first intermediate people's Court of Beijing.
For this appeal, the main defense opinions of the defender are as follows:
In this case, the facts are unclear and the evidence is insufficient, so reasonable doubt can not be ruled out, and the suspected crime should be avoided. The starting time of the electronic data appraisal opinion is more than one month later than that of the case, so it is uncertain whether the electronic data has been modified during this period. The existing evidence can not confirm the exact time of Han's deletion behavior and the execution of Han's deletion behavior by using command attack.
It can't be ruled out that the external media factor invasion is caused by loopholes and program problems. It is not clear whether the system is completely paralyzed, the evidence is insufficient, and the size of the deleted data is not clear. There is not enough evidence to identify the loss of 180000 yuan, and there is no evidence of evaluation and appraisal by a third party. Han has the subjective malignant is not big, does not cause the serious social influence and so on lenient plot.
However, during the second trial, the appellant Han and his defense did not provide new evidence to the court.
After investigation, the video server and the four servers involved in the case were not calibrated with the standard time, and the time difference between the monitoring time and the server time could not be judged, and the possibility of Han committing the crime could not be ruled out by the video time and the server time.
On December 29, 2020, the first intermediate people's Court of Beijing rejected the appeal and upheld the original judgment.
Details of the "delete database" incident triggered heated discussion
The company killed in this incident is lianjia.com.
Lianjia, formerly known as "Lianjia online", was established in 2010 and officially renamed in 2014.
As for its main business, we must be familiar with the real estate service platform.
According to the public information, the main business includes information search, product development, big data processing and service standard establishment.
And the importance of financial data for a company can be imagined. For a company of such scale, such a thing happened, together with the details exposed in the ruling, which can't help causing heated discussion among netizens.
First of all, for the content of "data recovery" mentioned in the judgment, that is, "chain companies spend a total of 180000 yuan to recover data and rebuild the financial system.".
Some netizens think that,According to this description, the company's financial database has no remote backup.
If there is a backup, the recovery system is only "hour level" manual work, and it is unlikely to need 180000.
So, the IT management of this company is terrible
Some netizens made such an analogy to the "180000" in the judgment:
The second hot point is the "manipulation" of Han.
That is to say, "by executing RM and shred commands, deleting data files, erasing operation logs, etc., the financial data and related applications were deleted, which made the company's financial system unable to log in.".
Netizens call it "programmers make low-level mistakes".
Some people think that the technology of data administrator is too rough.
More technical netizens throw out their own puzzles
Even the MAC has been changed, don't you know how to change IP and host name?
Generally, IP is changed first, then the host name is changed, and finally the MAC is changed.
However, leaving aside the details of this case, this "deletion" incident has once again brought the issue of data security into the public's attention.
"Delete database" events occur frequently, data security is greater than days
For the chain home incident, netizens thought it was very "sad" and expressed their confusion
How can we back up data from time to time?
However, similar things do happen from time to time.
For example, in the case of Weimeng last year, with the help of programmers themselves, the company's market value evaporated by more than 1 billion yuan, which also affected 3 million stores and paralyzed them.
From the evening of February 23, 2020, the crash time of Weimeng server will be as long as 53-125 hours.
In this incident, Weimeng was maliciously damaged, and this person is exactly his own employee, he, the core operation and maintenance personnel of the operation and maintenance department of the R & D center.
On February 24, 2020, the programmer was detained by the Public Security Bureau of Baoshan District, Shanghai; on August 26, the criminal judgment (first instance) of the people's Court of Baoshan District was announced and sentenced to six years' imprisonment.
And he also confessed that his life was not satisfactory after drinking, and he was unable to repay his online loan and other personal reasons.
Programmer "delete library" events occur frequently, but also to enterprises and individuals sounded the alarm.
For enterprises, "data security is greater than the sky", in the digital era, how to do a good job of data backup, how to reasonably let the relevant IT departments to manage data, should be the problem that enterprises pay attention to.
For the programmer group, it's really not worth it to vent the problems caused by personal emotions and life by such extreme means, gamble on personal future and go on the road of crime.
I also hope that such a story as "delete library and run" will always be just a story.
After all, every time in reality, not only enterprises and users suffer losses, but also some people face legal sanctions or even lose their freedom.