Jury Convicts Net Manager in Landmark Case

NEWARK, N.J. (05/12/2000) - The morning of July 31, 1996, the first worker in the door at Omega Engineering Inc.'s manufacturing plant in Bridgeport, New Jersey, logged on to his computer and unwittingly detonated a software time bomb that systematic-ally eradicated all the programs that ran the company's manufacturing operations.To make matters worse, executives soon found there were few options to keep the department running. Shortly before the attack, Tim Lloyd, a 37-year-old network administrator, moved the programs off individual workstations and onto Omega's central NetWare file server. And there were no back-up tapes to access because Lloyd brought them home and reformatted them, according to testimony at his trial for computer sabotage, which ended last week in a guilty verdict.

And in a clever twist, Lloyd added a simple line of code to his time bomb so when that early-morning user logged on to the server, the screen flashed a message that said 'fixing.' Thus, no one was alerted to what was happening until the programs had been deleted and purged.

Omega suffered $12 million in damages and lost its competitive footing in the high-tech instrument and measurement market. Eighty workers lost their jobs as a result. "We will never recover," said plant manager Jim Ferguson.

The Tim Lloyd case is not only one of a trusted employee who built a company's network and then crippled it, but it's also a precedent-setting legal victory that demonstrates the government is capable of tracking down and successfully prosecuting corporate computer crime.

"This tells everyone that we're capable," said Assistant U.S. Attorney V. Grady O'Malley, who prosecuted the case for four weeks in Newark District Court.

"There are people out there who believe they can't be caught. They think people aren't as smart as they are, and if they are, they're not in the government.

This shows them that we can track down the evidence, understand it and logically present it to a jury."

The jury deliberated for 10 and a half hours before finding Lloyd guilty of computer sabotage, which carries a maximum sentence of five years in federal prison. He was found not guilty of a second charge of interstate transportation of stolen goods. Lloyd, who lives in Wilmington, Delaware, is slated to be sentenced July 31, four years to the day after the software bomb exploded.

Lloyd maintains innocence

In an exclusive interview with Network World after the verdict came down, Lloyd maintained his innocence and said his lawyers are planning to appeal.

"There's no way in the world I did this," said Lloyd, who has been remanded to his home state of Delaware until sentencing. "I had complete access to the mainframe system from my home. . . . If I was a vindictive person, do you think I'd go after a teeny-tiny little network?"

Lloyd said the evidence against him is a strange confluence of circumstances, mixed with a good portion of fabrication. He maintains that Omega is using him as a scapegoat to cover up the fact that the company left its network and the programs that fueled its manufacturing unsupervised, unprotected and unmaintained.

And Lloyd told Network World that his attorneys have the missing programs. He said one of the defense's data recovery experts found them on a copy of the targeted file server. Lloyd's attorneys, however, did not present the programs or the expert during the trial.

"We got 'em," said Westmont, New Jersey-based Edward Crisonino, one of Lloyd's defense attorneys. "Our expert recovered them from the file server - the Omega [file server] that the government gave us. They could have recovered them if they knew what they were looking for. . . . We found it a couple of months ago."

"That tells me they've obstructed justice," O'Malley countered. "Morally speaking, if they knew they had the files . . . they had an obligation to come forward. . . . Even if they did have the programs, which I do not believe they do, that wouldn't have changed the crime. [The sabotage] was still a crime."

Lloyd's assertion is also at odds with expert testimony from Ontrack Data International Inc. a Minnesota company hired by Omega first to try to recover the programs and then to investigate what happened. Ontrack technicians, after months of work, determined that the data was unrecoverable.

Ontrack's Greg Olson told the jury the six lines of code that constituted the time bomb were written so it would detonate on boot up, no matter which user logged on first. He also said the program deleted everything except NetWare-specific utilities, which are designed to be undeletable. And the purge command wiped out the deleted files from the saved.exe folder, where they normally would still be accessible.

And that single purging still haunts Omega, a Stamford, Connecticut, manufacturer of customized high-tech measurement and instrumentation devices.

Ralph Michel, Omega's chief financial officer, testified that the software bomb destroyed all the programs and code generators that allowed the company to manufacture 25,000 different products and to customize those basic products into as many as 500,000 different designs.

After the system went down, in desperation, the company continued to run the machines with the programs already loaded on, until they ran out of raw materials or began choking on the inventory. Michel said the company spent $2 million to reprogram the machines and lost an estimated $10 million in sales and other costs.

"That department gave us flexibility to modify our products and gave us the ability to lower our costs," said Michel, who noted that Omega had shown 34 years of growth but started slipping after the computers crashed. "We lost both of those advantages in July 1996. . . . I believe the server crash was one of the principal reasons for the drop in sales, if not the reason."

While Lloyd is technically correct that the system that was affected by the software bomb was a relatively small part of the company's overall computer network, it was, nonetheless, a key area of vulnerability, which was exploited by someone who knew exactly where Omega's weak spots were.

This should serve as a warning to all network executives, according to analysts and industry observers.

"This could happen anytime, anywhere," says Richard Power, editorial director of the Computer Security Institute in San Francisco. "People need to wake up.

Companies should look at this and think, 'My God, that could be me.' "In fact, Omega executives said Lloyd was one of their most valued workers for most of his 11-year stint at the company. They described him as a trusted employee, one who had access to senior-most management, in what was a relatively small company. "He was the genesis, the force, behind us growing the [Computer Numerical Control] equipment department," testified Ferguson, referring to the CNC department, which is the manufacturing area where Lloyd worked. "He was responsible for everything to do with the manufacturing computers. . . . I trusted Tim completely."

But Lloyd found himself losing status and clout as the company grew into a global corporation. The technology star never adjusted to the role of team player, according to several witnesses for the prosecution. His damaged ego and jealousy eventually took the form of physical intimidation of his co-workers, knowingly running faulty designs to make co-workers look bad and bottlenecking a project because he wasn't in charge of it, the witness said.

O'Malley described it as a case of a trusted, long-term employee who built the company's network and then began plotting to destroy it when he started losing his standing and respect in the company.

As the relationship between Lloyd and Omega was unraveling, Lloyd was operating on two separate tracks, hunting for other jobs and planting the time bomb, which was set to go off on July 31. According to testimony, Lloyd was fired on July 10, leaving the ticking time bomb behind in the form of a six-line string of code on the plant's centralized file server, which was running NetWare 3.12.

The government said Lloyd was intent on blowing up Omega's server no matter how he went out the door. Testimony revealed that Lloyd was the only employee at the company responsible for maintaining, securing and backing up the server.

But prior to leaving, he gave network rights to several employees as a way of casting suspicion on others, according to the prosecution. However, these other employees were never told they had access to the network and didn't have Lloyd's level of computer savvy.

Special Agent William D. Hoffman of the Secret Service conducted a search warrant on Lloyd's home on Aug. 21, 1996, 22 days after the system crashed, and found two tapes, one of which was labeled "backup," with Lloyd's full name and the dates May 14, 1996 and July 1, 1996. Both tapes had been reformatted a little more than a week after the crash.

Hoffman also found a stash of Omega-owned property, including sound-enabled keyboards, hard drives, CDs and motherboards. The software found included original copies of Omega's proprietary code generators and bootlegged copies of commercial software, such as AutoCad and Microsoft Office.

Lloyd says the tapes were his personal back-up tapes for his home system.

Jurors said they did not find Lloyd guilty of the theft charge because they didn't think the amount of stolen property added up to the $5,000 limit that made it a federal crime. "We had no disagreement that those things were taken illegally, but we strongly disagreed on the value," one juror said.

Precedent setting

Ken VanWyk, corporate vice president and chief technology officer of ParaProtect Services Inc., a computer security portal in Alexandria, Virginia, said this case will have historical and legal significance, setting a precedent for how computer security crimes are handled.

"You're looking at a lot of damage here," VanWyk said. "The company has been greatly damaged. How easy is it to track down digital evidence? How easy is it to find the culprit following a digital trail? How easy is it to make a jury understand the technology? These are all questions that will be answered."

And O'Malley said the answer has come in loud and clear. "These people should realize they are no longer invulnerable," he added. "This type of crime is no longer a mystery, and there is some bite to computer crime statutes."

Join the newsletter!

Error: Please check your email address.

More about Computer Security InstituteMicrosoftOmega EngineeringOntrack Data InternationalSoftware TimeTransportation

Show Comments

Market Place