Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Bot Herder Admits Infecting 250K Machines

Posted by kdawson on from the security-consultant-gone-wild dept.

AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."

9 of 206 comments (clear)

  1. from the article by Anonymous Coward · · Score: 5, Funny

    "...a system so simple even a grandmother could use it to infect computers..."

    As a feminist, and a grandmother, i resent that.

  2. A better article, names companies involved, etc. by trolltalk.com · · Score: 5, Informative
    http://www.scamfraudalert.com/f142/john-kenneth-schiefer-botmaster-aka-acid-acidstorm-pleads-guilty-10692/

    1. He was employed at a Los Angeles-based security firm known as 3G Communications,
    2. The malware contained a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges.
    3. On one occasion, in December 2005, he moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of Dynadot
    4. Schiefer also used the botnet to collect more than $19,000 in commissions from a Dutch company called Simpel Internet for installing its adware on end users' machines without their permission.
    --
    Kevin Smith on Prince
  3. Re:White collar by Dogtanian · · Score: 5, Insightful

    He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first. Actually, I suspect that there's going to be a major perceived difference between someone who has simply hacked into others' computers in the past, and someone who has specifically exploited the trust of and targeted those who employed him to protect their PCs.

    Would I trust a former black-hat hacker to protect my computers? Possibly. Would I trust someone who has specifically targeted and screwed over his clients in the past- the people who paid him good money to protect them from such behaviour? Would I fuck.
    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  4. He did the crime....he should do the time by Joce640k · · Score: 5, Insightful

    He knowingly, willingly and maliciously did this. It wasn't an accident, a crime of passion or something he did because he was drunk one night, it took real work over many months. He was well aware of what he was doing the whole time he was doing it.

    The proverbial book needs to be thrown at people like this. These are precisely the sort of people we should be making an example of.

    --
    No sig today...
  5. Re:Whoa! by brassman · · Score: 5, Insightful

    Indeed, it's worth stressing why the penalty should be so severe. The guy positioned himself as a security expert, offering to protect his clients against this very sort of thing.

    Gaining someone's trust with the intent to betray it is a particularly pernicious form of moral rot. It is called "embezzlement," and there is a reason it is viewed even more harshly than burglary or robbery under the law.

    Losing property to a hostile stranger does not turn society upside down. Burglary (taking someone's property) is often considered rather petty, especially when the property owner is absent.

    Robbery (taking property directly from someone) is more serious -- but even though there is an active component of threat, it can be impersonal: "Hand it over and nobody gets hurt." Robbery without violence might disrupt the victim's life, but the disruption might be only to the extent that he or she is reminded that none of us is an invulnerable superbeing.

    Embezzling someone's assets invalidates their judgment and throws every decision they have ever made into question. It is psychologically devastating. When someone who has promised to protect you is instead the one who steals from you, he is undermining the basis of civilization itself.

    --
    "Ain't no right way to do a wrong thing."
  6. Re:broken justice? by RenderSeven · · Score: 5, Informative

    I guess he can always appeal, right?

    You cant appeal a guilty plea.
  7. Re:"security consultant" John Schiefer by Anonymous Coward · · Score: 5, Funny

    Quoth dogbert, "I like to con people. And I like to insult people. If you combine con & insult, you get consult!"

  8. Re:Whoa! by Grave · · Score: 5, Insightful

    I don't believe he meant to put down the experience of being robbed. Rather, I believe his point was that the morality of a person who commits of robbery is not quite as damaged and evil as someone who knowingly gains the trust of thousands just to deceive them. To the victim the difference may not be significant, but for the perpetrator of the act it is very different, and thus deserving of a more substantial punishment. Though I must say, he's not going to serve 60 years - that's the max, and I find it hard to believe any judge is going to sentence him to the full time, as it would be pretty much the rest of his life.

  9. Re:White collar by MillionthMonkey · · Score: 5, Insightful

    What kind of fucking lunatic would hire somebody who has PROVEN that he says he's one thing but is actually another?

    Oh you'd be surprised. This guy might have a bright future ahead of him in politics.