Slashdot Mirror
Confessed Botnet Master Is a Security Professional
An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.
"..spent the last 15 months working as a professional in the security scene.."
Doesn't ANYBODY bother proofreading these things before they're posted to the main page??!? This is a simple mistake, but let's face it folks, there have been GLARING errors before. A little professionalism, please? KTHXBYE
He should have worked in finance. There it's expected for you to loot the company safe and walk away with billions of dollars. Leaving a burning building behind you taxpayers footing the bill for cleaning it up is absolutely expected. Big career path mistake on his part. Perhaps while in prison he can study for his MBA and open a hedge fund on release.
"... who in last 2007 admitted ..."
Was there confusion on which 2007 was being referred to? "last 2007" as opposed to the next 2007?
Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.
Did you expect him to be a shoe salesman?
This is like that guy from the Gaming Control board that was cheating slots.
As opposed to the 2007 before that?
15 years seems like a long time to figure out the punishment for a guy after he's found guilty.
I read the internet for the articles.
While I'm not surprised that it was someone heavily involved in the field, as a future security professional myself, I'm rather ashamed that this man's greed won out over his ethics.
Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.
...says he's spent the past 15 working as a professional in the security scene...
Oh my God! Only the past 15?!? I've already spent the past 120 perusing slashdot.
Hint: qualifiers matter.
This guy's the limit!
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
Oops... wrong guy.
There should be 250,000 litigants, one each for the number of botted machines out there filing suit against him in addition to being behind bars with his hands cuffed (can one type in cuffs? might be interesting).
This guy is a poster boy for how due process ought to work for computer criminals. The trust factor should be zero. This isn't a hero, this is a master thief.
---- Teach Peace. It's Cheaper Than War.
Needs to be clarified is that this is 15 months he spent waiting for punishment, not 15 years. And the lenient sentencing is because he ultimately did not cause much damage.
to make sure the grammar is correct and the submissions lack certain unpleasantries such as run-on sentences.
Please edit submissions that contain glaring grammatical errors.
"An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work"
davecb5620@gmail.com
Is it just me, or does 5 years seem kinda low for someone who has infiltrated 250,000 computers and has been stealing bank account passwords??
This summary hurts my brain... last 2007 and the past 15? Really?
What about the woman that gets raped on the street? Isn't she partly responsible for the rapists behavior?
Come on people, quit blaming the victim; especially when the victim is an average person (as is evidence by the sheer size that many botnets reach).
Two of my friends were gang-raped by botnets.
and for a moment was wondering how a confused botnet master could be a security professional...
My professional opinion is that Internet Explorer is a fast, reliable, and safe web browsing platform.
Also, make sure ActiveX is turned on. It's important for your safety.
According to /. logic, if she didn't want to be raped, she should have closed her ports.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Is he going to thank Microsoft for their invaluable assistance in his career and sentencing award? After all, without Microsoft's dodgy software he wouldn't be able to have done what he did. Maybe he could just throw a chair at the judge in a symbolic gesture of thanks to Steve Ballmer.
It should read,
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Bank passwords. Don't they teach people how to parse sentences any more?
While he's in prison, make him learn a new trade. Maybe by using one of those internet colleges. He couldn't cause trouble doing that.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.
Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.
-Matt
--- Need web hosting?
In other news, Confessed Botnet Victims are Windows Users.
That's the sound of 30,000 other security professionals simultaneously saying "no shit!"
Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
EvilCON - Made Famous by
spent the past 15 working as a professional in the security scene
Common CmdrTaco... Months...15 months....
I do not support "The Man". I also do not support your irrational stupidity
discover a security exploit and alert everyone: should get hero's reward
discover a security exploit and uses it, to harmless effect: should get thanks for discovery, a frown, and no reward
discover a security exploit and use it to, well, exploit: throw the book at him
unfortunately, it seems that all three classes of white, gray, and black hats get the same treatment
i'm not bringing the three classes up to argue leniency for the reprobate who made the botnet, i'm bringing up the fact that this guy is an example of someone who really should get punished severely, in contrast to gray and white hats who serve society and are unfortunately treated as the same class of criminal, when they are clearly not
this guy is the contrasting example of what a gray and white hat could have done with their knowledge, but chose not to. people need to be more aware of the valuable service gray and white hats provide
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I'm not grammar queen but come on CmdrTaco! This one hurt my brain cell. I think I lost one =)
The analogy just doesn't work. When you look at how someone becomes part of a botnet, it's often a Windows user choosing to execute something. It's social, not technical, not force.
The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.
The guy's an asshole, probably a con artist and maybe a thief, but he's not a rapist. It's just not in the same league of injustice.
"Believe me!" -- Donald Trump
The title should have been "Confessed Botnet Master is a Security Professional."
It's all fun and games till someone divides by 0. Then it's hilarious.
Well he's already on path for the 8th or 9th circle of hell.
8th Circle:
Bolgia 8: Fraudulent advisors are encased in individual flames.
9th Circle:
Round 2: Antenora is named for Antenor of Troy, who according to medieval tradition betrayed his city to the Greeks. Traitors to political entities, such as party, city, or country, are located here.
What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?
Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.
Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.
Just because someone didn't patch their computer doesn't mean it's OK to exploit those vulnerabilities. It's a weak point in the computer's security, not an open invitation. Are you suggesting that it's OK to break into someone's house because the windows are fragile?
Creating a botnet from zombied computers is no trivial act. Simply exploiting a vulnerability takes some time and effort. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.
"Work is the curse of the drinking classes." -Oscar Wilde
So prosecutors are asking for 5 years for stealing 1000's of bank details by a professional security consultant. Yet for that dastardly foreigner (MacKinnon) and complete amateur that embarrassed the military and did not steal or actually damage anything other than the US Government's pride with his dial-up modem - he is in line for 70 years. Is it just me or is there something wrong here?
The only person that can be blamed is him. Not his parents, not the school, not society.
No one put a gun to his head and made him hack. Take some responsibility.
Ridiculous.
Gone!
That really depends on a lot of factors. But the answer is that it's possible that risks she took and clothing she wore made her more of a target. She could bear some responsibility, but that in no way diminishes the guilt of the actual perpetrators.
The moral is: punish the bad guys, and implore women everywhere not to take stupid risks. Also, try to figure out what those risk factors are. It would be pretty dumb to avoid perceived risk that doesn't exist and ignore a real risk that you didn't bother to find out about.
I think that maps well to just about any crime you can be a victim of, really.
...or maybe that will be his new career. They could use a man of his honesty in that field.
Is the the same guy whose linkedin profile is here:
http://www.linkedin.com/ppl/webprofile?action=vmi&id=12553940&authToken=bUKc&authType=name&trk=ppro_viewmore&lnk=vw_pprofile
I'd start using a middle name if I had the same first and last names and was employed in the same city as this guy.
Doesn't speak well for his employers' due diligence either....
Um. "Lack of intellectual outlet" is no reason to break into a school computer. Why didn't you and your buddies set up computers for each other to break into?
Or maybe it's more the "thrill" that people are looking for, and we like to attribute it to "intellect" because that sounds much less criminal and much less evil/wrong. We don't like being "wrong."
"Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.
How the tables turn. Now it's Schiefer who's going to be told, "You're my bitch now, I claimed it".
-[d]-
It's good to see that ignorance and stupidity are still alive and well in 2009. Don't you have a meth lab to tend to?
Are we expecting another 2007? One can surmise that he most certainly did not set this up in 2007 BCE. Or did he?!
I wonder just how many security "professionals" are actually ethically compromised. When there is a conflict between money and ethics, money usually wins.
Internet. If he had he'd be facing ten years and a half million dollar fine.
Thanks to eating disorders most chicks are reasonably good looking these days.
Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
The difference between meatspace crimes and internet crimes is the level of risk.
You can get away with less security in the real world,
because the level of risk to commit crimes is much higher.
Online, the risk is lower and in response, your level of security should be much higher.
[Fuck Beta]
o0t!
This comes from highly intelligent people not having an outlet for their intelligence
What a load of crap.
They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.
Yeah, if only this guy had lived in a world where it's OK to steal from other people's bank accounts. That would be a great world, wouldn't it? Just think how much would get done if nobody could trust a bank! Why, it would be a grand new society! And people who desparately need the "outlet" of stealing things from other people in order to feel good about themselves would finally be able to live a more peaceful, happy life.
Um, unless the fact that there's no risk, and no longer any chance to be the guy weilding technology with malice makes it no fun anymore, right? How many vandals would there be if there was no cultural care about destruction of property? Without the thrill of screwing someone else out of their time, property, and efforts, what's the point? Right. The point is the power trip and the pleasure from destruction and getting away with something. That's why guys like this would still be rotten even if there weren't computers and networks. You think he's highly intelligent and just being kept by his evil school from using it? Are you really one of these people that thinks it's up to the schools to amuse everybody according to their own individual tastes, level of boredom, and lack of enough imagination to do something outside of school to keep busy and interested?
Don't disappoint your bird dog. Go to the range.
There's some skill involved and you have to know details about vulnerabilities and how to exploit them.
Indeed. Many moons ago (back in the early 1980s, when "IBM PCs" were still new and beginning to be affordable) I was a security consultant to a certain large technology company not far west of London. Part of my brief was to write aggressive self-replicating routines in an attempt to disrupt crackers' activities. Thus I might claim credit for a few of the earliest viruses, but that's not really my point, which is that in those days work like this was done in assembly code, and as such was reasonably challenging. I was quite proud of it for that reason.
I haven't kept up with this particular technology, but I gather viruses such as these are a lot easier to craft now, particularly since users don't typically notice small (or even large) drains on resources any more.
Regardless of whether or not one admires botmasters' motives (and I don't) crafting botnets on a large scale has a certain "cool" factor, since there is quite a lot of work, skill and even artistry involved in setting them up.
Ow...
A lot easier to break into a store without breaking any physical objects. It's still not allowed but when only people like yourself can find you and understand how you broke in... well then it's more of one dude doing whatever he wants with the off-chance that there might be somebody smart enough to understand what was done and there might be somebody smart enough to find him... key word "might". Video cameras and security guards have a much better chance at catching the guy breaking in the door and taking watches vs this guy that is nearly invisible, unobtrusive, non-destructive, and sly.
Throw him away for one year for every time he had a bot... I'm sure after the 3rd the only other exciting bots he made were the 100th, 1000th, 100000th, 150000, 200000, and then the last one...
Put him in jail for at least how long it took him to create that network...
e engineer in all of us is going to go "What caused this? how can we fix it?". I don't know. Part of me wants to blame the schools.
Not really. I blame him. He's the only one responsible for the decisions he has made.
They guy is a painter that lives in a world where paint has been banned.
Since when has paint been banned? It's illegal to hack others' systems, yes. Likewise, it's illegal to break into other people's houses, etc.
It's not illegal to break into your own systems, uncover vulnerabilities, etc. While I suspect at least someone will claim you can be sued or go to jail for finding software vulnerabilities, people do it all the time. They're computer security researchers. (Some of them even have their own botnets, but not using others' machines -- that is beyond the hobbyist level of investment.)
There are plenty of productive ways for him to have challenges, even within the same field, without resorting to illegal and unethical acts.
This comes from highly intelligent people not having an outlet for their intelligence.
Say *what*?
You're insulting all the smart people who found an outlet for their intelligence, especially those of us with spotty academic records who somehow managed to avoid turning into criminal bullies. Maybe it's not "society's fault" after all?
Maybe she wanted someone else to close her ports.
but simply their perspective is narrower and maybe even biased."
i will say without a doubt that they are flat out wrong
the issue here is the scantily clad woman getting raped, and the clueless computer user getting hacked: are they to blame for their plight? no, they are blameless
sure, if they dressed like prudes and they surfed from a tor proxy, they wouldn't be in the plights they are in. but that offers up no lessons on the issue of repsonsibility. you can cause something, but not be responsible for something. likewise you can be responsible for something, even though you didn't cause it
for example, if i call a guy an idiot on the internet, and the guy stabbed me, i caused the guy to stab me, but the guy who stabbed me is the responsible party, not me. he committed the transgressive crime. blaming me in any capacity is morally incoherent
to believe otherwise is to not believe in personal responsibility. responsibility for a situation always falls on they who commits the gravest transgression, according to any cohesive moral code. and simply wearing skimpy clothes, or being clueless about computers, is but a minor foible compared with rape or hacking
to not understand this about morality is to not understand much about morality at all
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This seems to be a common thing here on slashdot. Take valid logic from one scenario, transfer it over to a completely different scenario and then rate insightful or interesting because the logic no longer works. The devil's in the details folks.
Leaving the (IMO bad) rape analogy aside, I would say it is partly the victims fault. The average person doesn't want to take the time to learn a few things about basic computer security, and this creates a breeding ground for botnets. Conflicker originally spread through email attachments, it's amazing to me that people are still opening attachments from people they don't know, especially executables. And yes, I believe if the average person hasn't learned by now that this is not a good idea then they should bear some of the responsibility for these outbreaks.
To use one of those analogies I talked about at the beginning of my post, it's as if everyone is leaving their keys in their unlocked cars and then wondering why thieves are having a field day with them. Is it their fault that their car was stolen? No, but they aren't helping the situation by not taking basic security precautions.
Murphey's fighting Occam, and we're in the stands.
To further this analogy, here is the clothing that was designed by microsoft to protect her from all external access. NSFW... :D
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
Always two there are, a master and an apprentice.
"Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first."
In all likelihood, the culprit is a former pimple-faced highschool kid who used to dial into machines with his Commodore 64.
The crackers grew up. Some of them moved on, some of them didn't.
I'd rather have 250 virtual thefts than a single forced entry theft.
What this guy didn't do is cause extreme emotional stress that a normal burglary would. This guy needs minimal jail time if any, and then some public service. The guy isn't exactly stupid, put his talents to use.
Sorry, but no, sorry.
I'm also a painter in the world where paint is banned. Exactly the same situation. Yet paint is not entirely banned. You can get some from people who hand it to you to paint them a nice picture. Or, to get away from the metaphor, you may hack any server whose admin hires you to do just that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
John helps run awknet.com.
The funniest thing about this, is someone is going to jail and half of slashdot is calling to "burn him" for pushing buttons on a keyboard.
A kid somewhere in the world, sitting in front of a computer, pushing some keys on a keyboard. And now he's going to jail.
el oh el internets.
"John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing.
Even worse, I hear the submitter has been working the past 15 months as a professor of English language while awaiting sentencing for negligent grammarcide.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
There is a slight difference between a women being randomly raped on the street and someone not doing anything at all to protect themselves from a botnet. There isn't much the woman could do to defend herself thats within reason, but there is alot the average computer user could do to protect their computer, eg. installing updates regularly, using a decent anti-virus etc. But I still think the guy that created should still be punished, regardless
. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.
Are you saying that has never happened to you before?, it happens to me everyday
John Schiefer, the Los Angeles security consultant who, in 2007, admitted
I'll try anything once. Twice if it tastes good
From TFA:
From your comment:
In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.
That analogy might work if we're talking about a miscreant who rapes by proxy with an army of relatively stupid rape-bots that run around looking specifically for people with no nickers whose legs are spread wide open and/or ass cheeks spread to accommodate its specific design. In that case, if you know or suspect that there's an army of such rape-bots running around and you don't take adequate precautions, you won't get much sympathy.
Totally not an original idea... this guy came up with it first.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
That depends on whether you consider the fault on her part having been raped, or failing to try to prevent it, I suppose.
I wouldn't say it's entirely her fault for being raped, but it is her fault for not taking the appropriate precautions to inhibit or prevent the rape. In so far as she does not take precautions, she is (at least) liable for the rape (to the same degree that someone wearing fishnets down a slum alley after dark would be, but to a lesser degree). No, nobody ever "asked for it" - that's the extreme, and so far off on right field that it holds no validity. However, that does not diminish the fact that it hits upon a sentiment (albeit, entirely too strongly) which is appropriate.
In a just world with self-aware, prudent women, that would mean that said potential-rape victim would go about armed so as to inhibit and discourage a rape - and such behavior would be not only acceptable but expected. Much in the same way that it should be acceptable and expected for a person to keep their operating system and software up to date.
Ignorance and naivety have never been excusable traits. Forgivable, certainly.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.
No, he is a guy who was trying to rip off people's personal information for personal gain. Which, gratefully, is banned in this world.
Part of me wants to blame the schools.
This is the primary flaw in your argument. There is no one to blame here. He is the only one to blame here. He made a choice to commit a crime and is accountable for it. I grew up with a much more "deviant" childhood than what you described. I do not commit these crimes because I choose not to. It's to no credit of the schools, organized religion or any other bullshit. I CHOOSE not to do these things.
Oh, he's fully responsible for his own actions.
Just as the people who were exploited are responsible for having been exploited. Their own damn fault.
No, that is not a contradiction. You'd get fired if you, as a security professional, were responsible for the network and it got taken down, would you not? Same kind of thing with those he exploited. Responsibility is responsibility, regardless of scale.
(Note, legal fault/responsibility is different than personal responsibility, obviously.)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Or you're welcome to set up your own server and hack THAT.
This guy is a painter who insists on painting only on old masterpieces that he's stolen from museums.
If I was relatively ignorant of security matters there's no way I'd let this guy anywhere near my systems. On the other hand, knowing what I know, this is exactly the guy I'd want for the job. I'd insist, of course, on detailed information about his actions, that I could audit myself if need be. I'd much rather have someone who knows what they're doing than some of these security outfits who are basically charlatans.
You've got your computer over there, and I've got my computer over here, and I have a looooonnnnggg series of tubes connecting my computer to your computer. Your computer has your bank account information in it, so through this long series of tubes, I go into your computer and take your bank account information...
"Pushing some keys" my foot.
If you're REALLY good and REALLY smart there is some really good (and legal) money in being a hired hacker. Get a contract, start working.
Actually, it's the crappy hackers that end up like this asshat. Sure, it's easier to hack machines that were never meant to be secure (like, say, the average home user Windows machine). I actually refuse to call it a "hack", but he sure is a hack.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ah, the old nippleless female human. A rare specimen, or so I've heard.
Mother, do you think they'll like this sig?
You're sarcastic, but I've accidentally stolen some identities. The following has actually happened to me (multiple times):
"Hmm... this login page looks a little funny... www.myspaec.com/login/login.php eh? Wonder what's up a directory... Oh look, login.php and passwords.txt, are you freaking kidding me."
I mean, I'd probably just dump the logins to a text file too, but in a public directory? A public, LISTABLE directory?! Experiences like this have warmed me to the idea of some skiddie building a botnet and somehow managing to ship a control panel executable with every infection.
you've never heard of a blade server?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I am actually impressed he had a 250,000 strong botnet. Sure cracking bank passwords is bad, but not really. No one get's physically hurt, banks are insured, no guns, and no police chase after the getaway car. Someone steals your pin and withdrawals your account it's not like you are screwed for life. It's not like the money is even real or the bank can just undo the changes. Your money is numbers on a screen and sometimes paper representing numbers on a screen. I give this man credit for finding a safer way to rob banks. Saying the man deserves some kind of lynching or any other type of strange punishment is nuts.
If he's got that many niggers around, he'd be better off making crack. Meth is a white man's drug.
Don't.
Be.
Stupid.
FLR
Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.
Or, because I'm sooooo much more comfortable with the car analogy than the rape analogy... if you leave your car unlocked, and someone steals it, yeah, you were dumb, and it sucks that your car is now stolen.
It happens that cars used in crimes are often stolen cars. If your car is stolen, then used in robbing a bank, do you have any culpability for robbing the bank? If a security guard gets shot in the robbery, do *you* get slapped with a wrongful death suit? What if he gets run over with your car during the getaway?
Yes, you are, to an extent, morally at fault for your car getting stolen, and the penalty is your car is gone. But you're *not* morally responsible for what someone does with your stolen car. That's too much of a reach, even for 85% of /. (I'm sure as many as 15% of slashdotters can make even THAT leap, though.)
Don't you wish your girlfriend was a geek like me?
Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.
Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.
In that specific case? It's possible that if you didn't take "reasonable" steps to secure your property, the thief would be able to get a lesser sentence. (Yeah, this really does depend on the jurisdiction, but the principle of mitigating and aggravating factors changing the sentence will hold true everywhere which uses English Common Law as the basis, including the US. AIUI anyway.)
With hacking, the key bad act is the usage of the computer without the approval of the owner. If the user fails to keep patched that will mitigate, but leaving behind anything to make it easier to get back in would (significantly) aggravate, just as making a copy of the house key would make burglary much worse. (According to TFS, one of the objectives of the hacking was the theft of "bank passwords", which is a separate fraud-related crime.)
This was an intentional criminal act.
Yeah. And (leaving the law out for the moment) it really comes down to whether we, as a community, could ever trust him again. I don't think I could; if I ever hired him to do something for me, I'd not want to use the result until I'd had it independently verified by someone I trust. But then again, at that point I'd just hire the trusted verifier to do the work for me in the first place...
"Little does he know, but there is no 'I' in 'Idiot'!"
Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.
Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.
So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.
Now you still do not have a botnet, still far from it but closer.
No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.
And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.
That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.
Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?
Now, you still do not have a botnet!
For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?
And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.
But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.
Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.
Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are
User maintains more than a dozen sockpuppet accounts on Slashdot.
How about making the punishment actually fit the crime? I've always thought the most just crime for theft is not prison, but as stated in the Bible, "if the thief be found, he shall restore double". Most importantly, the victim actually gets compensation for what was stolen, plus some for his trouble. This is a just compensation which actually benefits the victims of a crime. Far more so than locking the guy in jail, especially for a crime which is not imminently violent, is.
Your theory on the troll mod is total bullshit. Most of us IT security guys here have been modded "Troll" so many times that we haven't seen mod points for years, and will never see them again, despite "Excellent" karma. Like every other troll mod here, very special idiot moderators with unlimited mod points are probably to blame, along with other random idiots who just happened to have a few mod points now and then.
If you mod me down, I shall become more powerful than you could possibly imagine.
The real info about his case from the DOJ: http://www.usdoj.gov/criminal/cybercrime/schieferCharge.pdf
His sentencing has been postponed twice. Currently scheduled for sentencing on Feb 25, 2009.
Currently working as the only system and network administrator at an LA start up that is a search engine/social networking company. If you've ever watched or listened to Love Line, think Adam Corolla and his famous saying before they close the show and that's the place you may want to check your bank account if you use them, as they are heavily integrated with paypal too. I would use a different search engine at least until the fire they guy and secure their network. You may want to check your Amazon S3 as they use that service.
I don't know about you, but a guy like that should not be allowed to work in IT while awaiting sentencing or after sentencing. Also, the company he is working for, knows who he is and is choosing to keep him as the system admin. They believe he is reformed.
But the worst part of the whole thing, that company shares an office space with another company who has like 20+ employees and they all share the same network, and they have no idea he's in there! good luck to you people who share the office and network!
My little pedantic self would like to point something out:
The crime the guy would go to jail for would be different depending on whether or not you locked the door -- whether it's "breaking and entering" or illegal entry.
Actually, here's a fun thought:
1. The people in prisons score on the average over 20 on the antisocial personality disorder scale, which is to say you have a spectrum ranging from borderline sociopathic to outright psychopaths. A normal person scores 2-3.
2. There is no known way to turn a sociopath into a normal person. Trying to psychanalyze them just teaches them to fake the answers that will hide their callousness better.
3. Showing one the damage he's done and the people whose life he's destroyed... does nothing whatsoever, since a sociopath doesn't give a fuck about other people in the first place. They live in a single-player world, with them as the player and the rest being about as important or empathy-worthy as the NPCs in <insert MMO or RPG>. You can lie to them, manipulate them, cause all the harm you can get away with, whatever advances your quest or keeps you entertained. It doesn't matter, they're just NPCs. That's the kind of world a sociopath lives in. It includes even their own children, not just strangers who downloaded a virus.
4. They have a tendency to not have a sense of personal responsibility. They'll just shift the blame to someone else (e.g., the victim for being too stupid to download a virus) or rationalize it in any other way.
So, seriously, if you know some way to "undo" sociopathy, by all means, we'd all be very interested to hear it. But otherwise let's bury the retarded idiocy already that prisons should be some touchy feely school in respecting other people's feelings. These guys just can't do that.
The only thing they do understand is, basically, "let's not do something that will get me locked up for good". Well, some of them. Turning it all in just a slap on the wrist and some pouty "you've been a meanie and upset people" lesson will just remove that deterrent too.
A polar bear is a cartesian bear after a coordinate transform.
My own pedantry demands that I correct your slight error: If the door was closed, entering (even if it were unlocked) would still be classified as "breaking and entering".
http://en.wikipedia.org/wiki/Breaking_and_entering#Historical_definition
The first element, "breaking," required at least a minimal application of force. The opening of an unlocked door was sufficient, but if a person entered a house through an already open door or window, there was no "breaking" and therefore no burglary, even if all other elements were present. However, if a person were to enter the house through an open door, and were then to open a closed door leading to another room in the house, that would qualify as "breaking" into that room.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
If you want to real story on his case just look up the DOJ release No. 08-043
Sentencing has been postponed twice, now scheduled for FEb 25, 2009.
Currently working as a system/network administrator for a Santa Monica startup, they are a search engine/social portal(hint: hawaiian word for thankyou). If your not using the usual google/yahoo/msn. be careful!