Slashdot Mirror
US Bot Herder Admits Infecting 250K Machines
AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."
"...a system so simple even a grandmother could use it to infect computers..."
As a feminist, and a grandmother, i resent that.
The adware and viruses he installed slowed my system down, so I couldn't get first post.
Is 60 years long enough? Will they have the charged electrodes attached to his testicles for at least half of that?
He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first.
According to the article, this jerk got $19,000 for dumping adware on more than 150,000 pcs.
He also encouraged minors to act as go-betweens:
Obviously he had more than one kid "working" for him. He probably agreed to the plea-bargain because otherwise he'd be facing total possible time of several hundred years.
However, he won't be hired by anyone in the computer field after this - what he did was a simple con, no "computer wizardry" required. Hans Reiser would have more chance after a murder conviction.
I wonder if this is an instance of someone 'admitting' it just get some reduced sentence.
Just because you admit to something in a court does not mean it's actually true.
Max.
Kevin Smith on Prince
This is why companies have outside auditors for their accounting departments.
Should not companies now figure out how to audit their IT deparments regularly?
This is NOT that uncommon, after reading some of the stuff written by the forensic snoops hired by private companies (who mostly do not want anyone to know that anything was compromised...shareholders & investors for instance).
is there some kind of accreditation or certification for security consultants? i understand credentials can be forged, but could an agency for security consultant certification help?
"To stop the terrorists."
If he gets a fine this large and jail time for infecting 0.25 million computers, where's the appropriate sentence for Sony for knowingly infecting millions of computers with the rootkit on their CDs?
Please don't insult the thousands of honest security consultants by calling this guy a "security consultant." The title of "con artist" would be far more accurate.
I suspect he registered the domains he purchased with the stolen paypal accounts in his own name, or the items he bought with the accounts he had to delivered to his house.
FlyingPizzas.com, for the tasteful hermit
I dunno about 'is' being murdered, but you're doing a pretty good job on the English language.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
He knowingly, willingly and maliciously did this. It wasn't an accident, a crime of passion or something he did because he was drunk one night, it took real work over many months. He was well aware of what he was doing the whole time he was doing it.
The proverbial book needs to be thrown at people like this. These are precisely the sort of people we should be making an example of.
No sig today...
it's so hard to make the punishment fit the crime with these people
there almost needs to be special jails to punish obscene internet abusers
i won't try to describe such a facility for you, let us hope that your imagination is as good as mine
There's nothing constructive to derive from this post but pointless speculation. Let that take care of the concerns of the trolls and critics right off the bat, nothing to see here, move along.
Anyways, I've been doing a bit of thinking about this issue.
You often hear about 'white collar' criminals being given massive sentences. They could be organisers of international software piracy rings, super electronic fraudsters (like the one mentioned in the original parent article), whatever. The numbers of years they are sentenced to and dollars they are fined just seem to get bigger and bigger each time i hear a new story.
New laws are increasingly being passed to raise the penalties for electronic crimes. These harsher penalties don't seem to be acting as much of a deterrent, however.
The economic damage caused by internet and computer crime is staggering, the number of victims (as seen in the article) in the hundreds of thousands, potentially even millions. Could there come a time where these crimes could incur capital punishment?
disclaimer: i come from a country without the death penalty, and personally don't understand the necessity for it, so don't read this as my supporting the idea. This isn't about my personal philosophy.
Murder is already a capital crime in a number of US states. People are already being executed in many countries for crimes other than murder. Drug trafficking, serious sexual offences, could it be a relatively a small step for internet crimes to escalate into capital territory?
The internet being international as it is and the victims of these crimes often being selected so indiscriminately, could it be a matter of time before an american committing e-fraud is indicted in a country where his crimes are of a capital nature?
Extrapolating ludicrously, could a european citizen not subject to capital punishment be indicted by an america where their internet-based crime warrants the death penalty?
It's controversial enough when a citizen of a country that doesn't have the death penalty is sentenced to death in one that does. Imagine if the crime they committed was something we might look at as being comparatively trivial in nature.
I warned him, god dammit. Got the FBI sent to my house over this shit.
It says the dude is facing 60 years.. i dont think you can turn 60 years into 30 months in ANY scenario.
3G Communications may also go under because of this guy's actions.
Would you trust them after this?
No sig today...
he should be fined for everything he has, 100% of his money in all banking accounts, have all his property taken away, real estate, valuables = gold, jewelry, computers, TVs, stereos, etc... everything he owns, and given a long prison sentence of 40 years...
Politics is Treachery, Religion is Brainwashing
Wish this was the ancient Greece, where people can be sentenced to death for corrupting the mind of youths.
ELOI, ELOI, LAMA SABACHTHANI!?
ONCE a blackhat, ALWAYS a blackhat -rite foyoder?
Sony is a corporation. They don't operate under the same laws people do.
Hell, if you're big enough, you can even buy after-the-fact immunity these days.
The first poster must've been a victim too, his post is GONE!
from the story:....Schiefer said he and his friends spread the bot programs mainly over AOL Instant Messenger (AIM). By using malicious "spreader" programs such as Niteaim and AIM Exploiter, Schiefer and his co-conspirators spammed out messages inviting recipients to click on a link. Anyone who took the bait had a "Trojan horse" program downloaded to their machine, an invader that then tried to fetch the malicious bot program." Read more at this link here.
...because you never know who you're dealing with.
stupid ass right about now... How do you say "n00b" in Russian?
Never monkey with another monkey's monkey.
If my math is correct, serving 60 years for infecting 250,000 PCs is roughly 2.1 hours of jail time per infection. I've had a headache last longer than that. I think for starters, he needs to write "I will not infect other people's computers with password stealing viruses" 250,000 times, with a poorly sharpened pencil. I then think he should be made to eat every last page.
This blog, Security Fix, in the washington post has additional info based on an "exclusive interview",
http://blog.washingtonpost.com/securityfix/2007/11/security_pro_admits_to_hijacki.html?nav=rss_blog
From the article: The poor guy saw the light in early January 2006.
"Ever since then, I've been more trying to create a positive thing and trying to prevent crap like this happening," he said. "I kind of saw the error of my ways and decided I'd had enough."
according to my math
I'm the last person to support insane prison time and fines as a deterrent. It ain't one. It never has been and never will be. Look at the insane punishments we got today for copyright infringement. And I'm not even talking about the civil suits for "damages" (or as I like to call it "the MI's new business model"). We now got 10 years prison time for that as a maximum sentence. For the same penalty, I could rob a bank, hold people hostage for a few hours and wreck a getaway card into a school.
... ok, no thinkofthechildren examples. But you get the idea.
This isn't just a "simple" criminal using malware to steal IDs. He was the guy who was supposed to disallow exactly that. He was the one people trusted to keep them clean from malware. Now, he didn't just fail in his job and allow it despite his attempts, he deliberately and intentionally infected his clients' computers.
That's why I don't think this punishment is overdone. We're talking about the maybe most insidious way of breaking a law: Getting people's trust, getting them to believe you you're going to keep them save from just what you want to do to them. It's like a cop breaking into your home or your babysitter
This is NOT the punishment I'd see as adequate for a "normal" malware attacker (even though I would love to see them dangling from their dangling bits, but that's my personal opinion).
As for those that expect him to get out after 5 years and have a great job then, I can tell you this: I can't say anything about his time, but his job opportunities are going to be slim. The security industry isn't big. People know each other. People like this are going to be not known, they are infamous. And nobody will willingly touch him with a 10 foot pole.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
was not being a giant multinational corporation. (sony)
then it's 'ok' to infect people.
learn the lesson. incorporate before you do the crime.
Holy crap! 3G has the IT security contract over here in Afghanistan (where I am stationed). This is so not good.
"We get caught laundering money, we're not going to white-collar resort prison. No, no, no. We're going to federal POUND ME IN THE ASS prison." --Michael Bolton
Comment removed based on user account deletion
I think it's important to keep these kinds of people away from computers in general and clients specifically, but I don't see how you can "audit" for this kind of thing. I would say, that it might be a good idea to begin bonding IT workers, in certain cases at least. But how do you monitor against this, this guy installed spyware/trojans/adware on computer X while working on it? You'd have to send an auditor with him anytime he worked on something. Good luck with that! Or else you'd have to check every machine the guy worked on periodically, and the external auditor would have to be a top-notch guru on top of that. Yeah these guys are going to be expensive as hell on top of all that. Hmmm, come to think of it where can I apply? Oh and who audits the auditors? These are not like books that can be cooked and also have access to the money that underlies it. PC auditors would be capable of being the attack vector here.
...
The only way to do this would be for there to be some form of software that could take a snapshot of the equipment before work was done and immediately after. This software would have to be launched by someone. The software would have to have some means of validating that it in itself wasn't compromised and there'd have to be some external non-interested party (like the FBI), that it validated against. So this would be useless on say a computer that won't boot. In which case, a computer would need to validate on "birth".
And by the way, what the FUCK was M$ thinking when they left a backdoor to encrypted data in their OS. And perhaps, more importantly
Why? Would you ever store passwords and important data again with M$ technology, knowing M$ can read this data anytime they want to?
Now that Windows phones home, who is to say M$ won't read that data anytime they want to for any purpose they want?
Not a very good protection scheme if you ask me. They might as well go back to XOR encryption.
Lastly, I'd like to see this guy get life+ a day, I mean talk about your BOFH? I'll never complain again.
This incident just goes to show that the greatest security threat to your computer is ANYONE YOU LET HAVE ACCESS TO IT.
"We get caught laundering money, we're not going to white-collar resort prison. No, no, no. We're going to federal POUND ME IN THE ASS prison." --Michael Bolton
http://new.wavlist.com/movies/317/ofsp-poundme.wav
With that guy behind bars. I am really feeling secure now that that single person cannot wreak havoc anymore. And by the looks of it, he might end up there for the rest of his life, so nobody has anything to fear from him.
But what about those who are actually smart? What about those who did not get caught? They will still be able to take advantage of completely insecure pcs. Damn . . .
Strange how comforting it is to place confidence in the delusion that there is only one bad guy doing this botnetting thing. Of-course, it is so much easier than for instance, to hold all those infected pc onwners responsible for not securing their pcs. Or to hold a certain manufacturer of operating systems responsible for making their product insecure by default.
You know it makes sense, a little reminder from jointm1k.
FYI, half of the points (1 and 4) appear in the original article in LA Times.
Guess you've never had an account hacked like this and had to deal with the consequences. Having been through it, I'd like the 60 years to be hard labor and all his assets distributed to his victims. Maggots like this guy are a pestilence, a scourge on a free society where caring neighbors help one another.
I am much more empathetic with the guy who robs the 7/11 for a beer than a guy like this. I'd like to see him get the maximum. But then, I'd like to see more white collar criminals (like the Prince guy at Citi) get some well deserved time. I think on average people don't see white collar crime as that bad because there is no clear individual victim. This guy ripped off 250K people, maybe not with a gun, but still, ripped them off. The Citi guy has ripped off hundreds of thousands and was even paid a bonus to leave. Justice shouldv'e gone after Lay's estate when he died and distributed it to the Enron pension fund too, but we just don't prosecute white collar with a passion.
where do I get numbers like those? my client list is a bit smaller at the moment.
They're using their grammar skills there.
I think death by Guillotine or Axe sounds appropriate on public TV. I hope he REALLY gets what he deserves. 250,000 systems is nothing to laugh at. I hope he dies in prison at the least.
I hate when criminals continue to lie after being caught red handed.
They even lie badly in the end.
No one has mentioned the first thing I thought - why are we busting all these people without thinking of fixing the problem - the problem being people running software on their computers that allows them to be very easily hacked.
Sigh. No one blames Microsoft for releasing proven insecure software, even on machines that have No eXecute bits. Shit.
I've been using *nix or MacOS since 2000. I haven't even had to think about being hacked. The worst thing that happened was that I had an ftp server running that allowed anonymous uploads, so some scripts left little "kilroy was here" files there.
Yes what this guy did is immoral and he should get in trouble. But it sucks that we are in a technical environment that makes such things so tempting to begin with.
250K should be enough for anyone.
http://outcampaign.org/
Wicked observation. I assume that the KKK is your favorite jury pool, eh?
The proper punishment is to eliminate his access to computers and the Internet. Forever. If a 60 year prison sentence does that - well, it seems like a far more costly way to achieve the desired end than mandating a lifetime of work in fields not connected to computers and paying the fine until the day he dies.
The next time that you want to inflict inhumane punishments - go read up on the history of Great Britain - every horrible method of inflicting pain has been used and none of it stopped the crimes. Why the public hangings of pickpockets were among the most popular locations for pickpockets to ply their trade. Well researched, wizard!
Are antivirus software enough to protect against bots? There has been so much talk about these criters that I wonder how one would detect them.
Just think how many innocent baby seal will be saved once those worthless carnivore are gone from our planet.
scruffylookingbotherder is the hardest sequence of words I've had to read all week. I may have to make it a password. First I thought it was a reference to Scruffy from Futurama. Then I thought something was a bother. Then I saw both erders, bothered ers, butchers, looking over the border, etc.
Consciousness is a myth. Trust me.