Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confessed Botnet Master Is a Security Professional

Posted by CmdrTaco on from the he-should-know-better dept.

An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."

31 of 278 comments (clear)

  1. This should come as no surprise by htnmmo · · Score: 4, Insightful

    Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.

    Did you expect him to be a shoe salesman?

    This is like that guy from the Gaming Control board that was cheating slots.

    1. Re:This should come as no surprise by TheRealMindChild · · Score: 3, Insightful

      There's some skill involved and you have to know details about vulnerabilities and how to exploit them.Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    2. Re:This should come as no surprise by QuantumRiff · · Score: 2, Insightful

      No, but I'd expect him to know the repercussions of what he was doing, based upon his job. We hold people to higher standards in professional careers. A fireman that is an arsonist (okay, a criminal one, every fireman is a pyromaniac), or a Policeman that robs banks deserve much higher sentences for violating the public trust.

      --

      What are we going to do tonight Brain?
  2. Disgraceful by DeadPixels · · Score: 4, Insightful

    While I'm not surprised that it was someone heavily involved in the field, as a future security professional myself, I'm rather ashamed that this man's greed won out over his ethics.

  3. I miss the old days by MillionthMonkey · · Score: 4, Insightful

    Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.

    1. Re:I miss the old days by Opportunist · · Score: 2, Insightful

      Only because nobody in the field touches a known criminal with a 10 foot pole anymore. You may rest assured that he's out of the biz for good now.

      Unfortunately there are crooks in every field. You have firemen starting fires. You have cops breaking laws. And they're usually also harder to catch because they know exactly how the deal works, what to watch out for, how to do it to leave no usable tracks, etc.

      At least I can find my peace in the fact that it's not swept under the rug in our biz.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:"in last 2007" by bsDaemon · · Score: 2, Insightful

    2007 BCE?

  5. Being sexually abused is a mitigating factor? by Anonymous Coward · · Score: 4, Insightful

    Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

    Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

    1. Re:Being sexually abused is a mitigating factor? by Anonymous Coward · · Score: 4, Insightful

      Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

      No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
      (not an excuse).

    2. Re:Being sexually abused is a mitigating factor? by Anonymous Coward · · Score: 2, Insightful

      Sexual abuse victims are more likely to commit murder (of their abuser) or sexually abuse others. I'm fairly certain that they aren't any more likely than you or me to create a botnet.

  6. Glad we have editors here... by shoegoo · · Score: 2, Insightful

    to make sure the grammar is correct and the submissions lack certain unpleasantries such as run-on sentences.

  7. Five years? by brian0918 · · Score: 3, Insightful

    Is it just me, or does 5 years seem kinda low for someone who has infiltrated 250,000 computers and has been stealing bank account passwords??

    1. Re:Five years? by furby076 · · Score: 2, Insightful

      Considering that people who commit manslaughter can go to jail for less then no I don't think so.

      Problem with our legal system is that it has disparaging sentences. This turns out to be cruel and unusual punishment. We have people who kill others and go to jail for a couple of years...then we have people who rob banks who go to jail for a decade (plus extra time for each illegal weapon/ammunition even if a shot was never fired) and then we expect computer hackers (while malicious, didn't kill anyone) go to jail for a long time?

      Yes what he did was bad, but no 5 years is a bit extreme, and anything over that is just being petty.

      --

      I do not support "The Man". I also do not support your irrational stupidity
  8. It's not shoe salesman vs IT, it's "one of us" by Wrexs0ul · · Score: 5, Insightful

    I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.

    Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.

    -Matt

    --
    --- Need web hosting?
    1. Re:It's not shoe salesman vs IT, it's "one of us" by Anonymous Coward · · Score: 5, Insightful

      I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.

      Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.

    2. Re:It's not shoe salesman vs IT, it's "one of us" by Anonymous Coward · · Score: 5, Insightful

      "Good? Bad? I'm the one with the gun." - Ash, Army of Darkness

      What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).

      Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.

      There is nothing inherently noble about working in IT.

  9. Hear that sound? by yttrstein · · Score: 3, Insightful

    That's the sound of 30,000 other security professionals simultaneously saying "no shit!"

  10. Re:Substantial Threat to Society? by Comatose51 · · Score: 5, Insightful

    Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.

    --
    EvilCON - Made Famous by /.
  11. the way things should ideally work: by circletimessquare · · Score: 1, Insightful

    discover a security exploit and alert everyone: should get hero's reward

    discover a security exploit and uses it, to harmless effect: should get thanks for discovery, a frown, and no reward

    discover a security exploit and use it to, well, exploit: throw the book at him

    unfortunately, it seems that all three classes of white, gray, and black hats get the same treatment

    i'm not bringing the three classes up to argue leniency for the reprobate who made the botnet, i'm bringing up the fact that this guy is an example of someone who really should get punished severely, in contrast to gray and white hats who serve society and are unfortunately treated as the same class of criminal, when they are clearly not

    this guy is the contrasting example of what a gray and white hat could have done with their knowledge, but chose not to. people need to be more aware of the valuable service gray and white hats provide

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  12. Re:How long does sentancing take? by mmkkbb · · Score: 2, Insightful

    Read the article, not the summary.

    --
    -mkb
  13. Devine Comedy by 0100010001010011 · · Score: 3, Insightful

    Well he's already on path for the 8th or 9th circle of hell.

    8th Circle:
    Bolgia 8: Fraudulent advisors are encased in individual flames.

    9th Circle:
    Round 2: Antenora is named for Antenor of Troy, who according to medieval tradition betrayed his city to the Greeks. Traitors to political entities, such as party, city, or country, are located here.

    1. Re:Devine Comedy by Chaos+Incarnate · · Score: 4, Insightful

      But that's just the normal Hell. Doesn't he deserve the special Hell, along with child molesters and people who talk in the theater?

      --
      Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
  14. Re:You really want a rape analogy? by MozeeToby · · Score: 5, Insightful

    The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.

    No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink, drags her back to the car and rapes her. The next morning she knows that something is wrong, but can't remember a thing and so doesn't properly report it or deal with the consequences.

  15. Re:Smart People by schnikies79 · · Score: 5, Insightful

    The only person that can be blamed is him. Not his parents, not the school, not society.

    No one put a gun to his head and made him hack. Take some responsibility.

    Ridiculous.

    --
    Gone!
  16. Re:A note to the editors... by spikejnz · · Score: 2, Insightful

    You're making the assumption that the "glaring grammatical errors" are obvious to those individuals making such "glaring grammatical errors."

    Fail!

  17. Re:Substantial Threat to Society? by TubeSteak · · Score: 3, Insightful

    Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.

    The difference between meatspace crimes and internet crimes is the level of risk.

    You can get away with less security in the real world,
    because the level of risk to commit crimes is much higher.
    Online, the risk is lower and in response, your level of security should be much higher.

    --
    [Fuck Beta]
    o0t!
  18. Re:BANKSTER wannabe by Steauengeglase · · Score: 3, Insightful

    If I had to points I'd mod you insightful.

  19. Re:You really want a rape analogy? by 5865 · · Score: 2, Insightful

    It's more like the rapists would always target the skirt wearers over the pants wearers because of the relative lower barrier to entry and the pants wearers would try to convert their skirt wearing sisters from their erroneous ways by calling them little sluts and being condescending.

    What the pants wearers don't realize is that it takes a significant investment of time and effort to learn how to slip into a pair of pants for people who don't sew pants for a living. Thus, the skirt wearers would rather spend extra money on mace or pepper spray that they can operate with a push of a button in times of emergency.

    Thing is, the pepper sprays leak into their skirts and whatever garments they are wearing underneath and leave them with a burning sensation and even then the skirt wearers would rather burn their coochies than learn how to slip into a pair of pants.

  20. In all seriousness... by CarpetShark · · Score: 5, Insightful

    From TFA:

    Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society.

    From your comment:

    ...the US prosecutor could just allege that he's capable of starting World War III...

    In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.

  21. Re:BANKSTER wannabe by PrimalChrome · · Score: 2, Insightful

    If my alt had mod points, I'd mod you both insightful.

  22. Re:15 months, not years by 4D6963 · · Score: 2, Insightful

    And the lenient sentencing is because he ultimately did not cause much damage.

    What? Have you not heeded the cries of your fellow Slashdotters!? Lynch him! Draw him! Quarter him! Then hang his quarters separately!! Stealing bank passwords is so much worse than murder, rape or treason!

    --
    You just got troll'd!