Is someone hiding their servers in your data center?

Christopher Naples is on track to become the second most infamous person for bringing his own computer gear to work illicitly. He was recently charged with using more than 40 devices to mine Bitcoin and other cryptocurrencies, connecting them to his office computer racks. Naples is (was) an IT supervisor for the Suffolk County Long Island government. His gear was placed under raised floors and inside unused power panels, clearly to avoid obvious detection. The crypto mining gear generated so much heat that the HVAC folks had to rebalance their systems to cool everything off, costing the county thousands in added electrical power.

His case will now be heard by the courts, and I wish them well in being able to sort out the situation. Mining, or creating new crypto value, is a very energy-intensive operation because it uses very high-end computing gear that draws power. There have been some estimates that the total power consumed by all the worlds’ Bitcoin users is more than the demand by Finland, which has 5.5M people.

I think the case against Naples is pretty solid: this was gear that he was using to enrich his own personal gain. The reason why I say his second place entry in this unique category is because of the case of Aaron Swartz, a computer scientist who ten years ago hid his server in a MIT closet. Swartz was unhappy that an online academic research consortium called JStor was charging for copies of articles to private citizens but granting free access to certain academic users. Hence the location. Over the course of several months, he managed to download millions of articles to his server, which eventually tripped a network monitor and brought a huge federal case of 13 felony charges against him. He killed himself shortly before he was to begin serving a long jail term. (Carl Malamud, who worked with Swartz, documents the situation nicely here.)

A case could be made that Ed Snowden deserves to be on this list somewhere: he did bring USB thumb drives to his office to download various NSA secret documents, although he didn’t leave any gear in his office closet. Unlike Swartz and Naples, his frantic document copying tactics weren’t detected by his employer, which is more ironic given the nature of the NSA and presumably the various scans and network checks that should have been in place to detect this massive effort.

What Swartz, Snowden and Naples to some extent prove is the value of intrusion detection, particularly as it relates to exporting data to a remote network. Of course, now that many of us are working remotely, this brings up special challenges to detect these massive data exports when they are part of the normal operations and not something fishy going on.

You might think that hiding your personal servers at work could be solved by moving more resources into the cloud. But this just makes finding these illicit servers a lot harder to find. There are a number of tools that can specifically search for non-sanctioned servers, but you still need IT staffers to keep track of things.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.