Confessed Botnet Master Is a Security Professional

An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."

Your official guide to the Jigaboo presidency

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most

Re:Your official guide to the Jigaboo presidency

Thank you for this informative post.

Re:Your official guide to the Jigaboo presidency

[spikejnz]

It's good to see that ignorance and stupidity are still alive and well in 2009. Don't you have a meth lab to tend to?

Re:Your official guide to the Jigaboo presidency

If he's got that many niggers around, he'd be better off making crack. Meth is a white man's drug.

BURN HIM!

[erroneus]

He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.

Re:BURN HIM!

[nielsslein]

Wow.

Re:BURN HIM!

[jerep]

I guess the bigger threats are always from the inside.

Re:BURN HIM!

[HTH+NE1]

He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment.

Well, the US prosecutor could just allege that he's capable of starting World War III if given an opportunity to whistle into a telephone to get him thrown into solitary confinement. It might even be more believable than the last time they used it successfully.

Re:BURN HIM!

[Lumpy]

you were modded troll probably because many of the It security guys here don't want to be lynched when they get caught for their dirty deeds.

I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.

Re:BURN HIM!

[WillRobinson]

Maybe public stockades in some alley in San Fransisco. For 5 nights.

Re:BURN HIM!

[DrData99]

You whack him a few times with a 48 port PoE switch and you might kill him, body shots or not!

Re:BURN HIM!

[Perf]

I vote for 250,000 slaps on the wrist. ;-)

Re:BURN HIM!

[Darundal]

During the last Sunday in September.

Re:BURN HIM!

[ILuvRamen]

well it clearly says in the story that he's a danger to society so maybe we should have him register as a ditigal offender and under the rules of "Slashdot's Law" he has to inform every neighborhood he moves into that he's a digital offender so they can secure their wifi :-P Oh and he has to have a sign on his lawn too and be in a national database.

Re:BURN HIM!

[Sfing_ter]

no a small netgear 8 port router with all the cables plugged in we 8 ports + 1wan = cat-o-9 tails :D

Re:BURN HIM!

[bobetov]

I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.

What is reminding him of high-school supposed to achieve?

Re:BURN HIM!

[wastedlife]

CAT5-o-nine-tails?

Re:BURN HIM!

[flyneye]

Burn him, my ass! Feed him to me! I can make a Columbian drug cartels methods look downright comfortable.
          People work hard for hours earning their money to make just enough to get along in todays world.Stealing is just like enslaving these people for the amount of time equal to the money taken.
Slave drivers don't deserve human rights. Let's treat them inhumanly along with anyone who would champion any rights for them.

Re:BURN HIM!

on Folsom Street...

Re:BURN HIM!

...it does call for a good old fashioned lynching.

well not what i had in mind, but how about death by urination? you could charge 5-10 dollars for someone to come take a leak on 'em. ;)

How does a kid who hacks his school's boxes to change his grades land himself 30+ years and this chump only is looking at 5 years tops. this is a joke. WTF this is an outrage!!!!!!! I say we storm the prison free the kid and put this guy in his place. our legal system is a complete joke. what a bunch of brouhaha... JUSTICE I SAY!!! JUSTICE!!!

Re:BURN HIM!

Death by Urination...HAHAHA, interesting. can we fling poo?

Re:BURN HIM!

[Perf]

Interesting how the common reaction to a crime is punishment, but restitution is hardly ever mentioned. All to often, the criminal pays "community service," the taxpayers pay for the trial, prosecution, and defense, the police sell any stolen property, and the victim is left holding the bag.

What if this man was forced to locate all 250,000 of his victims, go to each, personally apologize, and offer to pay restitution? Would that be punishment enough?

Re:BURN HIM!

[mqduck]

You know... If you're calling for a lynching, you should at least have the political sense to not call for the "good, old fashioned" kind.

Re:BURN HIM!

http://www.usdoj.gov/usao/cac/pressroom/pr2008/043.html

Sentencing has been postponed twice, now scheduled for FEb 25, 2009.

Currently working as a system/network administrator for a Santa Monica startup, they are a search engine/social portal (hint: Hawaiian hello/goodbye). If your not using the usual google/yahoo/msn. be careful!

Re:BURN HIM!

The crazy part is that he's working for a search engine/social network in Santa Monica now. How could a company like that have him as their system admin!?!?!

Proofreading? What's that? :p

"..spent the last 15 months working as a professional in the security scene.."
Doesn't ANYBODY bother proofreading these things before they're posted to the main page??!? This is a simple mistake, but let's face it folks, there have been GLARING errors before. A little professionalism, please? KTHXBYE

Re:Proofreading? What's that? :p

A little professionalism, please? KTHXBYE

I don't even know what to do with that...

Re:Proofreading? What's that? :p

Sheesh, where's your sense of humor? Just because I said, "KTHXBYE" at the end doesn't mean it invalidates my point! Sheesh!

Re:Proofreading? What's that? :p

[thePowerOfGrayskull]

Or what about:

consultant who in last 2007 ...

As opposed to the 2007 before that? Or next 2007?

Re:Proofreading? What's that? :p

ummm...yes it does.

Re:Proofreading? What's that? :p

seconded

Re:Proofreading? What's that? :p

[jgtg32a]

maybe ISO 2007?

http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=45386

Re:Proofreading? What's that? :p

[plnix0]

As opposed to the 2007 before that? Or next 2007?

Hey, it helps to clarify. Didn't you study the Botnet Wars of 2007 BC in history class?

Re:Proofreading? What's that? :p

1) Print the post out on heavy card stock.
2) Fold it until it is all corners.
3) ???????
4) Profit.

Random ACs aren't getting paid to post or edit topics.

BANKSTER wannabe

He should have worked in finance. There it's expected for you to loot the company safe and walk away with billions of dollars. Leaving a burning building behind you taxpayers footing the bill for cleaning it up is absolutely expected. Big career path mistake on his part. Perhaps while in prison he can study for his MBA and open a hedge fund on release.

Re:BANKSTER wannabe

[Steauengeglase]

If I had to points I'd mod you insightful.

Re:BANKSTER wannabe

I just did. I still don't believe why people like Richard Fuld and Bernard Madoff aren't in prisons yet. If people like those can be forgiven, then almost any criminal can be forgiven, save murderers.

Re:BANKSTER wannabe

[PrimalChrome]

If my alt had mod points, I'd mod you both insightful.

Re:BANKSTER wannabe

If I had to, points I'd mod you - insightful.

Nope.

If I (had, to points, I'd) mod you, insightful.

No...

If, I had, to points - I'd mod you insightful.

No!

If I had to (points) I'd mod you insightful.

Points at what?

Damn it, this just isn't working.

Re:BANKSTER wannabe

[Ihmhi]

Slashdotters have alts?

What, were you bored with your original account and decided to roll a shammy?

Re:BANKSTER wannabe

I think the bankers are more lazy than malicious. I once heard a quote "We aren't that dumb, and we aren't that smart either." referring to Coca-Cola's failed introduction of "New Coke." I think the same idea applies here. Bankers aren't out to steal money or make a sham of the system. They're intensely strict, law-abiding people who desperately want to make a buck. They made some bad bets and now they're squirming asking for help to a problem that may not have happened if everyone wasn't interested in maximizing profits at whatever the cost.

Unfortunately, it seems most Americans don't know enough about economics to realize that the whole idea of capitalism is based on limited access to information or other resources affecting price. Survival of the fittest and making a profit are central tenets of American culture. In the case of the banks, they were missing or ignoring information in an effort to make a bigger profit. How do we waive aside the capitalism we cling to so dearly because we blindly placed too much economic power in the hands of a few people who did things we all claim to be part of our national identity?

There's another solution nobody in power wants to talk about: change the entire financial system. We've got to rethink what money is, how we're going to run our economy, and what practices are ethical in the modern economy.

Typical editting

"... who in last 2007 admitted ..."
Was there confusion on which 2007 was being referred to? "last 2007" as opposed to the next 2007?

Re:Typical editting

[networkBoy]

well eventually we'll roll over the googleplex counter for years...

Re:Typical editting

[Apatharch]

I suppose it depends which calendars you take into consideration.

This should come as no surprise

[htnmmo]

Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.

Did you expect him to be a shoe salesman?

This is like that guy from the Gaming Control board that was cheating slots.

Re:This should come as no surprise

[TheRealMindChild]

There's some skill involved and you have to know details about vulnerabilities and how to exploit them.Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

Re:This should come as no surprise

[furby076]

Who do we blame
1) Play computer games - be a nerd
2) Get called a geek and beat up by bullies
3) Learn to hack computer games putting pictures of the bullies on the characters you plan to frag
4) Learn to hack your bullies computers so you can destroy their homework
5) Hack the world
6) Get caught
7) Get a job, get rich

Well we can either blame video games or bullies. I point my finger at video games.

Re:This should come as no surprise

Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

I'm sure every shoe salesman reading this knows exactly what you're on about.

Re:This should come as no surprise

[QuantumRiff]

No, but I'd expect him to know the repercussions of what he was doing, based upon his job. We hold people to higher standards in professional careers. A fireman that is an arsonist (okay, a criminal one, every fireman is a pyromaniac), or a Policeman that robs banks deserve much higher sentences for violating the public trust.

Re:This should come as no surprise

So this might mean all the zillions of viruses are actually created by the McAfee and Norton to keep their captive audiences?

Re:This should come as no surprise

[cgfsd]

I wonder if he plan on putting this on his resume?

Controlled Bot Net of over 250,000.
    Administered over 250,000 SMTP nodes.
    Distributed computing experience of over 250,000 machines.
    Responsible for over 10 million email messages per day.
    Internet bandwidth administrator

etc.

Re:This should come as no surprise

[Ironica]

I wonder if he plan on putting this on his resume?

Controlled Bot Net of over 250,000.

I prefer the way TFA put it: "...wielded a 250,000-strong bot army."

Re:This should come as no surprise

[drolli]

No. It just takes ambition, as most things on this planet. Being not completely stupid helps, but i think from the viewpoint of knowledge 90% of the IT professionals could create a botnet, if they invested the Energy to do so.

Re:This should come as no surprise

[SL+Baur]

Controlled Bot Net of over 250,000.

I prefer the way TFA put it: "...wielded a 250,000-strong bot army."

Directed and managed 250k node network.

"in last 2007"

[nedlohs]

As opposed to the 2007 before that?

Re:"in last 2007"

[bsDaemon]

2007 BCE?

Re:"in last 2007"

As opposed to next 2007.

Re:"in last 2007"

As opposed to the 2007 before that?

He also spend the last 15 working... last 15 what? years?

Re:"in last 2007"

[asolidvoid]

At least it's not the guy from next 2007 - he made a 250,000-node robotnet, and did a lot more with it than stealing some piddly passwords.

Re:"in last 2007"

[Sockatume]

If it was 2007BCE, I'm thinking eras? Ages? Civlisations?

Re:"in last 2007"

[thebheffect]

The last 15 minutes. He just decided to become a security professional. I don't understand this story now.

Re:"in last 2007"

[elrous0]

And that man's name? John Titor.

Re:"in last 2007"

You know what? I find it amusing that people don't want to base their calendar off the life of Jesus, but they think that changing the abbreviation will change the fact that it is nonetheless based off the life of Jesus.

Tell you what... since I don't like England, I'm not using Greenwich Mean Time. I'm making my own time standard called "Freumouyleant Miscrashial Time". The conversion formula is: HH:MM:SS GMT = HH:MM:SS FMT.

Re:"in last 2007"

[nschubach]

It would be pretty hard to convince the bank as to why you put Jan 26, ~4543632795 on your mortgage check.

Re:"in last 2007"

Why would anybody base a calender on the life of the guy that works at Alberto's?

Re:"in last 2007"

Feel free to try. I'm just saying... "Current Era" and "Before Current Era" demand an answer to the question "what the hell is the 'current' era, and why?" (I would have said it "begs the question", but then the grammar nazis would have crucified me.) Oh wait, the beginning of the "current era" is based on the life/death of Jesus... well why didn't you just say that?

How long does sentancing take?

[jandrese]

15 years seems like a long time to figure out the punishment for a guy after he's found guilty.

Re:How long does sentancing take?

[immakiku]

Article states 15 "months", not years.

Re:How long does sentancing take?

According to the article, it's 15 months, not years. That's still a little long for the sentencing phase, though. ;)

(The summary uses a confusing sentence structure, AND it just says "the past 15" without giving the unit of time.)

Re:How long does sentancing take?

[BigBlackDog]

...spent the past 15 working as a professional...

Where does it say months?

pushing for a five-year sentence

It does say years, admittedly in a different context.

--BBD

Re:How long does sentancing take?

-1 Stupidly taking one context to supply a different missing context.

Maybe -1000 stupid.

Re:How long does sentancing take?

[mmkkbb]

Read the article, not the summary.

Re:How long does sentancing take?

You must be new here, welcome to /.

Substantial Threat to Society?

What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?

Re:Substantial Threat to Society?

[MozeeToby]

What about the woman that gets raped on the street? Isn't she partly responsible for the rapists behavior?

Come on people, quit blaming the victim; especially when the victim is an average person (as is evidence by the sheer size that many botnets reach).

Re:Substantial Threat to Society?

Exactly, those are the real criminals, the real threats. I say not only *should* these people feel compelled, they should *BE* forcefully compelled under threat of penalty. They obviously failed, so let this guy go and prosecute the people whose computers were compromised. They were simply begging for him to do what he did, it's not his fault. like you say, they're "culpable" for his actions. Poor guy.


...

Re:Substantial Threat to Society?

[Beardo+the+Bearded]

According to /. logic, if she didn't want to be raped, she should have closed her ports.

Re:Substantial Threat to Society?

[Comatose51]

Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.

Re:Substantial Threat to Society?

[Ephemeriis]

What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?

Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.

Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.

Just because someone didn't patch their computer doesn't mean it's OK to exploit those vulnerabilities. It's a weak point in the computer's security, not an open invitation. Are you suggesting that it's OK to break into someone's house because the windows are fragile?

Creating a botnet from zombied computers is no trivial act. Simply exploiting a vulnerability takes some time and effort. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.

Re:Substantial Threat to Society?

That really depends on a lot of factors. But the answer is that it's possible that risks she took and clothing she wore made her more of a target. She could bear some responsibility, but that in no way diminishes the guilt of the actual perpetrators.

The moral is: punish the bad guys, and implore women everywhere not to take stupid risks. Also, try to figure out what those risk factors are. It would be pretty dumb to avoid perceived risk that doesn't exist and ignore a real risk that you didn't bother to find out about.

I think that maps well to just about any crime you can be a victim of, really.

Re:Substantial Threat to Society?

[TubeSteak]

Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.

The difference between meatspace crimes and internet crimes is the level of risk.

You can get away with less security in the real world,
because the level of risk to commit crimes is much higher.
Online, the risk is lower and in response, your level of security should be much higher.

Re:Substantial Threat to Society?

Ow...

Re:Substantial Threat to Society?

[venuspcs]

Maybe she wanted someone else to close her ports.

Re:Substantial Threat to Society?

[Xelios]

This seems to be a common thing here on slashdot. Take valid logic from one scenario, transfer it over to a completely different scenario and then rate insightful or interesting because the logic no longer works. The devil's in the details folks.

Leaving the (IMO bad) rape analogy aside, I would say it is partly the victims fault. The average person doesn't want to take the time to learn a few things about basic computer security, and this creates a breeding ground for botnets. Conflicker originally spread through email attachments, it's amazing to me that people are still opening attachments from people they don't know, especially executables. And yes, I believe if the average person hasn't learned by now that this is not a good idea then they should bear some of the responsibility for these outbreaks.

To use one of those analogies I talked about at the beginning of my post, it's as if everyone is leaving their keys in their unlocked cars and then wondering why thieves are having a field day with them. Is it their fault that their car was stolen? No, but they aren't helping the situation by not taking basic security precautions.

Re:Substantial Threat to Society?

[Sfing_ter]

To further this analogy, here is the clothing that was designed by microsoft to protect her from all external access. NSFW... :D

Re:Substantial Threat to Society?

[AceofSpades19]

There is a slight difference between a women being randomly raped on the street and someone not doing anything at all to protect themselves from a botnet. There isn't much the woman could do to defend herself thats within reason, but there is alot the average computer user could do to protect their computer, eg. installing updates regularly, using a decent anti-virus etc. But I still think the guy that created should still be punished, regardless

Re:Substantial Threat to Society?

[AceofSpades19]

. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.

Are you saying that has never happened to you before?, it happens to me everyday

Re:Substantial Threat to Society?

[Zolodoco]

That analogy might work if we're talking about a miscreant who rapes by proxy with an army of relatively stupid rape-bots that run around looking specifically for people with no nickers whose legs are spread wide open and/or ass cheeks spread to accommodate its specific design. In that case, if you know or suspect that there's an army of such rape-bots running around and you don't take adequate precautions, you won't get much sympathy.

Re:Substantial Threat to Society?

[clone53421]

Totally not an original idea... this guy came up with it first.

Re:Substantial Threat to Society?

[CAIMLAS]

That depends on whether you consider the fault on her part having been raped, or failing to try to prevent it, I suppose.

I wouldn't say it's entirely her fault for being raped, but it is her fault for not taking the appropriate precautions to inhibit or prevent the rape. In so far as she does not take precautions, she is (at least) liable for the rape (to the same degree that someone wearing fishnets down a slum alley after dark would be, but to a lesser degree). No, nobody ever "asked for it" - that's the extreme, and so far off on right field that it holds no validity. However, that does not diminish the fact that it hits upon a sentiment (albeit, entirely too strongly) which is appropriate.

In a just world with self-aware, prudent women, that would mean that said potential-rape victim would go about armed so as to inhibit and discourage a rape - and such behavior would be not only acceptable but expected. Much in the same way that it should be acceptable and expected for a person to keep their operating system and software up to date.

Ignorance and naivety have never been excusable traits. Forgivable, certainly.

Re:Substantial Threat to Society?

[Hogwash+McFly]

Ah, the old nippleless female human. A rare specimen, or so I've heard.

Re:Substantial Threat to Society?

You're sarcastic, but I've accidentally stolen some identities. The following has actually happened to me (multiple times):
"Hmm... this login page looks a little funny... www.myspaec.com/login/login.php eh? Wonder what's up a directory... Oh look, login.php and passwords.txt, are you freaking kidding me."
I mean, I'd probably just dump the logins to a text file too, but in a public directory? A public, LISTABLE directory?! Experiences like this have warmed me to the idea of some skiddie building a botnet and somehow managing to ship a control panel executable with every infection.

Re:Substantial Threat to Society?

[Ironica]

Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.

Or, because I'm sooooo much more comfortable with the car analogy than the rape analogy... if you leave your car unlocked, and someone steals it, yeah, you were dumb, and it sucks that your car is now stolen.

It happens that cars used in crimes are often stolen cars. If your car is stolen, then used in robbing a bank, do you have any culpability for robbing the bank? If a security guard gets shot in the robbery, do *you* get slapped with a wrongful death suit? What if he gets run over with your car during the getaway?

Yes, you are, to an extent, morally at fault for your car getting stolen, and the penalty is your car is gone. But you're *not* morally responsible for what someone does with your stolen car. That's too much of a reach, even for 85% of /. (I'm sure as many as 15% of slashdotters can make even THAT leap, though.)

Re:Substantial Threat to Society?

[dkf]

Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.

Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.

In that specific case? It's possible that if you didn't take "reasonable" steps to secure your property, the thief would be able to get a lesser sentence. (Yeah, this really does depend on the jurisdiction, but the principle of mitigating and aggravating factors changing the sentence will hold true everywhere which uses English Common Law as the basis, including the US. AIUI anyway.)

With hacking, the key bad act is the usage of the computer without the approval of the owner. If the user fails to keep patched that will mitigate, but leaving behind anything to make it easier to get back in would (significantly) aggravate, just as making a copy of the house key would make burglary much worse. (According to TFS, one of the objectives of the hacking was the theft of "bank passwords", which is a separate fraud-related crime.)

This was an intentional criminal act.

Yeah. And (leaving the law out for the moment) it really comes down to whether we, as a community, could ever trust him again. I don't think I could; if I ever hired him to do something for me, I'd not want to use the result until I'd had it independently verified by someone I trust. But then again, at that point I'd just hire the trusted verifier to do the work for me in the first place...

Re:Substantial Threat to Society?

My little pedantic self would like to point something out:

The crime the guy would go to jail for would be different depending on whether or not you locked the door -- whether it's "breaking and entering" or illegal entry.

Re:Substantial Threat to Society?

[clone53421]

My own pedantry demands that I correct your slight error: If the door was closed, entering (even if it were unlocked) would still be classified as "breaking and entering".

http://en.wikipedia.org/wiki/Breaking_and_entering#Historical_definition

The first element, "breaking," required at least a minimal application of force. The opening of an unlocked door was sufficient, but if a person entered a house through an already open door or window, there was no "breaking" and therefore no burglary, even if all other elements were present. However, if a person were to enter the house through an open door, and were then to open a closed door leading to another room in the house, that would qualify as "breaking" into that room.

Disgraceful

[DeadPixels]

While I'm not surprised that it was someone heavily involved in the field, as a future security professional myself, I'm rather ashamed that this man's greed won out over his ethics.

Re:Disgraceful

[Thiez]

Why? ANYONE with a working brain can become a security professional. You are not in any way responsible for his actions (or for the actions of any other security professional), but by saying you feel 'ashamed' for his actions you suggest you somehow are (and that security professionals are incapable of independent thought...). Why do you feel shame?

Re:Disgraceful

Musicians perform, thief steals, security 'professionals' break into computers...qed

Re:Disgraceful

[Opportunist]

I am in the field, and I'm not ashamed for, but fuckin' angry at him.

I keep talking 'til I turn blue to squelch the rumors that AV researchers spread malware themselves to have a reason to exist, we get that crap anyway. We try to hunt down asshats like that guy. And then, usually when you finally got at least part of the population to believe that you're actually out to help them, someone like him comes along and ruins it. For all of us. Try to build up trust when you hear that the person that claimed to help you actually was the one that infected you!

I am, quite bluntly, insanely pissed at the guy.

Re:Disgraceful

[Ant+P.]

No need. Most people here are smart enough to know it's not the researchers, but the companies peddling antivirus software that create viruses.

Re:Disgraceful

[Opportunist]

It ain't even them. For different reasons. A company that would be known to make malware would be quite dead quite soon, it would fall out of the network before they even know what hit them.

As I said, there's no need to throw money at developing malware. It's done for free for us, why should we bother?

I miss the old days

[MillionthMonkey]

Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.

Re:I miss the old days

[elrous0]

No, that was the PROBLEM. This guy probably started out as a "pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64" who got a job offer to go legitimate. So he went legitimate for a while, but his nature ultimately led him back to black hat work. The idea of hiring a black hat and turning him to a white hate sounds nice, but the reality is that you can never really trust someone like that not to go back to their old ways.

Re:I miss the old days

[Opportunist]

Only because nobody in the field touches a known criminal with a 10 foot pole anymore. You may rest assured that he's out of the biz for good now.

Unfortunately there are crooks in every field. You have firemen starting fires. You have cops breaking laws. And they're usually also harder to catch because they know exactly how the deal works, what to watch out for, how to do it to leave no usable tracks, etc.

At least I can find my peace in the fact that it's not swept under the rug in our biz.

Re:I miss the old days

[ceoyoyo]

I'm not sure it sounds nice anyway. Something about profiting from your crime....

Hire the guy who DIDN'T do anything wrong, or the one who discovered and reported or tried to fix the existing problem.

I have never figured out why computer security companies seem think that someone breaking something means they'd be good at fixing it. There can't be any shortage of volunteers who actually fix vulnerabilities in open source software.

Re:I miss the old days

[bill_mcgonigle]

or the one who discovered and reported or tried to fix the existing problem.

Sorry, he's already in jail for doing that. :(

Re:I miss the old days

[ceoyoyo]

Exactly. If you do the right thing you go to jail. If you don't you either get rich or you go to jail and get a job. If you manage to make a big splash while doing it you might get a book and movie deal and end up getting rich anyway.

There's a deterrent there, but it doesn't seem to be in quite the right direction.

Re:I miss the old days

[bill_mcgonigle]

There's a deterrent there, but it doesn't seem to be in quite the right direction.

We're trying to build a society that's exclusively codified moral hazards; didn't you get the memo?

the past 15?!?

[gEvil+(beta)]

...says he's spent the past 15 working as a professional in the security scene...

Oh my God! Only the past 15?!? I've already spent the past 120 perusing slashdot.

Hint: qualifiers matter.

Re:the past 15?!?

And I just spent the past 8000 replying to your post!

Re:the past 15?!?

[ceoyoyo]

You mean units. Qualifiers would be something like "spent the past 15 working as a professional in the security scene, [but only at night. During the day he sold hotdogs.]"

Re:the past 15?!?

[gEvil+(beta)]

If I'm not mistaken, 'qualifier' would be the more general term, with 'unit' being the type of qualifier needed in this specific case.

Re:the past 15?!?

Do you mean units?

Re:the past 15?!?

[clone53421]

Well, units would be a type of qualifier, so he might have.

Being sexually abused is a mitigating factor?

Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

Re:Being sexually abused is a mitigating factor?

They misunderingenuosed me.

Re:Being sexually abused is a mitigating factor?

Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
(not an excuse).

Re:Being sexually abused is a mitigating factor?

People who are sexually abused are more often involved in crime though. It may have left him more open to bending the rules than if he had not been abused.

This specific crime was just the one he happened to be capable of doing.

Re:Being sexually abused is a mitigating factor?

i like to bend the rules, yet i have never been abused... EVER...

/me cries in shame

Re:Being sexually abused is a mitigating factor?

Sexual abuse victims are more likely to commit murder (of their abuser) or sexually abuse others. I'm fairly certain that they aren't any more likely than you or me to create a botnet.

Re:Being sexually abused is a mitigating factor?

[blair1q]

His future is going to look a lot like his past, then.

Re:Being sexually abused is a mitigating factor?

[gad_zuki!]

People suffering from real PTSD dont hold jobs and they certainly dont sit around writing botnet code. If you really have PTSD or mental trauma from abuse youre not very functional. This guy is pissing in the eye of people with real mental health issues for a lame sympathy vote for the jury.

>substance abuse problem

Ditto for this. Ive known a couple real addicts. People who deserve some sympathy for their mindless actions. None of them were as remotely functional as this guy.

This guy is just an old fashioned criminal and deserves to serve time.

Re:Being sexually abused is a mitigating factor?

[Opportunist]

That would maybe explain him dealing drugs or abusing someone sexually. How does it explain spreading malware? Does it mean that I get off the hook if I shoot him when I get robbed first?

Re:Being sexually abused is a mitigating factor?

[Ironica]

I seem to recall that they are more likely to suffer from narcissistic personality disorder, though... and that probably is consistent with this particular type of crime.

FREE TERRY CHILDS!

Oops... wrong guy.

Jail him. Now.

[postbigbang]

There should be 250,000 litigants, one each for the number of botted machines out there filing suit against him in addition to being behind bars with his hands cuffed (can one type in cuffs? might be interesting).

This guy is a poster boy for how due process ought to work for computer criminals. The trust factor should be zero. This isn't a hero, this is a master thief.

Re:Jail him. Now.

[FeepingCreature]

This isn't a hero, this is a master thief.

For some reason, this made me think of a Halo / Thief series crossover. Garrett-117?

Re:Jail him. Now.

[An+ominous+Cow+art]

> Garrett-117

What's the Half-Life of that isotope?

Re:Jail him. Now.

[furby076]

This isn't a hero, this is a master thief.

So was Robin of Locksley and he was a hero.

Re:Jail him. Now.

[operator_error]

--> in addition to being behind bars with his hands cuffed.

It would at least slow him down if his hands were cuffed behind his back.

At least I imagine so. Hell, I can't touch type when both hands are in front of me. Sounds difficult anyway.

Re:Jail him. Now.

[thePowerOfGrayskull]

To the people he "helped". I'm sure the spammers think our boy wonder here is hero too.

Re:Jail him. Now.

[SCHecklerX]

I dunno. Maybe those 250,000 should also be charged with aiding and abetting...

Re:Jail him. Now.

[postbigbang]

Right. Walking down the street, a guy comes up and sticks them up. Shoot the victim. Aid? Abet? Just by surfing some place or by being unarmed and perhaps not smart as you are?

Re:Jail him. Now.

As long as each litigant needs to prove damages, sure.

15 months, not years

[immakiku]

Needs to be clarified is that this is 15 months he spent waiting for punishment, not 15 years. And the lenient sentencing is because he ultimately did not cause much damage.

Re:15 months, not years

If I spray painted an "X" on one house, then I did not cause much damage.

If I spray painted an "X" on 250,000 houses ...

Re:15 months, not years

[blair1q]

Did any other botnet operator learn anything from him?

Did he disrupt the progress of networking and technology and banking by forcing resources to be diverted to preventing his sort of crime?

Is he wasting my time by being infamous enough to get my attention on slashdot?

He is not benign.

Re:15 months, not years

[Paradise+Pete]

If I spray painted an "X" on 250,000 houses ...

Then you'd have about a quarter million angry helicopter pilots on your hands.

Re:15 months, not years

[SilverJets]

Did not cause much damage?

Hmmm...identity theft, compromised 250,000 PCs, and stole hundreds of thousands of bank account passwords.

Yeah, not much damage there.

Good thing for him he didn't access any corporate networks or he would have been number 1 on the FBI's most wanted list like Kevin Mitnick was. Though at most Mitnick explored some networks, read some mail, made free phone calls, and supposedly copied some software. I guess that adds up to being a lot worse than identity theft and stealing bank account information.

Re:15 months, not years

[4D6963]

And the lenient sentencing is because he ultimately did not cause much damage.

What? Have you not heeded the cries of your fellow Slashdotters!? Lynch him! Draw him! Quarter him! Then hang his quarters separately!! Stealing bank passwords is so much worse than murder, rape or treason!

Re:15 months, not years

[Ironica]

What? Have you not heeded the cries of your fellow Slashdotters!? Lynch him! Draw him! Quarter him! Then hang his quarters separately!! Stealing bank passwords is so much worse than murder, rape or treason!

Actually, if you read upthread a ways, it's apparently a whole lot like rape. Of course, it's also like stealing a car. Or driving a car. Or building a car with 250,000 robots... [I'm so confused...]

Glad we have editors here...

[shoegoo]

to make sure the grammar is correct and the submissions lack certain unpleasantries such as run-on sentences.

A note to the editors...

[Drasil]

Please edit submissions that contain glaring grammatical errors.

Re:A note to the editors...

[spikejnz]

You're making the assumption that the "glaring grammatical errors" are obvious to those individuals making such "glaring grammatical errors."

Fail!

Re:A note to the editors...

[Drasil]

No, I'm making the assumption that the /. editors are capable of spotting "glaring grammatical errors" in user submissions. I see your fail and raise you a RTFC ;)

insanity defense ..

[rs232]

"An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work"

Re:insanity defense ..

[dodobh]

Would anyone ever suspect a security "professional" at work of administering a botnet from there? I would call it an extremely efficient disguise.

Re:insanity defense ..

That and what he would be looking at in terms of a botnet on his screen would look identical to any other mumbo-jumbo to his boss. I'm sure it was a lot easier than it sounds for this guy.

Re:insanity defense ..

how did he get caught then?

Re:insanity defense ..

Using company resources for personal gain...doesn't the company now own the botnet and bank passwords? Gotta go check my dilbert references...

Five years?

[brian0918]

Is it just me, or does 5 years seem kinda low for someone who has infiltrated 250,000 computers and has been stealing bank account passwords??

Re:Five years?

No, considering the sentence for certain types of murder might only be 6-7 years.

Re:Five years?

[furby076]

Considering that people who commit manslaughter can go to jail for less then no I don't think so.

Problem with our legal system is that it has disparaging sentences. This turns out to be cruel and unusual punishment. We have people who kill others and go to jail for a couple of years...then we have people who rob banks who go to jail for a decade (plus extra time for each illegal weapon/ammunition even if a shot was never fired) and then we expect computer hackers (while malicious, didn't kill anyone) go to jail for a long time?

Yes what he did was bad, but no 5 years is a bit extreme, and anything over that is just being petty.

Re:Five years?

[neoform]

This is merely a case of someone breaking and entering 250,000 times as well as attempting bank fraud on each of his victims.. the guy should get a misdemeanor and do 20 hours community service.

Re:Five years?

[ArsonSmith]

I have to agree. 5 years per offense seems reasonable. You hack a computer you get 5 years in jail. You hack 250,000 you get 1.25 million years in jail.

Re:Five years?

[roguegramma]

I think it is actually too much prison time for intangible damage, but that he should instead be forced for ten years to spend his extra income on some organisation that works against botnets or helps people out of them. Say 250,000x40$ to fix every one of them and he owes like 10 million to society.

Re:Five years?

They're putting him away because he's a danger to society -- in five years, there won't be any more security holes in Windows, thus no danger in letting him out.

Re:Five years?

[brian0918]

If you spend 10 hours of work to get a $500 increase in the "intangible" number in your bank account, and you suddenly lose that number, has something tangible been lost? Is something tangible lost when you have to spend more time trying to figure out what happened and to recover that intangible number?

Re:Five years?

Is it just me, or does 5 years seem kinda low for someone who has killed another person?

Remember, in this country, you spend more time in jail for stealing from a business, illegally accessing credit card numbers, or writing software than you get if you go out and kill someone (just as long as you don't think about doing it first, otherwise it becomes murder and you may possibly get 10-20 years in prison.)

he should know better indeed

[cortesoft]

This summary hurts my brain... last 2007 and the past 15? Really?

Bastard...

Two of my friends were gang-raped by botnets.

misread title

[charlener]

and for a moment was wondering how a confused botnet master could be a security professional...

From your Friendly Security Professional

My professional opinion is that Internet Explorer is a fast, reliable, and safe web browsing platform.

Also, make sure ActiveX is turned on. It's important for your safety.

Re:From your Friendly Security Professional

Anonymous (this post) stabs Anonymous (parent post) with an Titanium Spork from ThinkGeek

The sentence acceptance speech

[AnalPerfume]

Is he going to thank Microsoft for their invaluable assistance in his career and sentencing award? After all, without Microsoft's dodgy software he wouldn't be able to have done what he did. Maybe he could just throw a chair at the judge in a symbolic gesture of thanks to Steve Ballmer.

Title is wrong.

[clone53421]

It should read,

"Confessed Botnet Master Was a Security Professional"

Last 15 bank passwords

[pjt33]

Bank passwords. Don't they teach people how to parse sentences any more?

Re:Last 15 bank passwords

[clone53421]

Well, it was a toss-up between bank passwords or botnet nodes...

Make him learn a real trade

[SnarfQuest]

While he's in prison, make him learn a new trade. Maybe by using one of those internet colleges. He couldn't cause trouble doing that.

It's not shoe salesman vs IT, it's "one of us"

[Wrexs0ul]

I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.

Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.

-Matt

Re:It's not shoe salesman vs IT, it's "one of us"

You should see some of the dual personality people that code for spam filtering projects. They double dip both for the prevention of spam and by getting paid to circumvent spam filters. You wouldn't believe how tempted some security "professionals" get when money gets tight.

Re:It's not shoe salesman vs IT, it's "one of us"

I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.

Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.

Re:It's not shoe salesman vs IT, it's "one of us"

but the idea that someone like a lot of slashdotters is that capable of hurting others.

You mean someone introverted and nerdy like, say, Hans Reiser?

Nerds don't have some special innocence. We share all the vices of people who aren't obsessed with technology. Cops go bad, nightclub security is often on the take so why not IT security? Wherever there's security there'll be corruption.

Re:It's not shoe salesman vs IT, it's "one of us"

"Good? Bad? I'm the one with the gun." - Ash, Army of Darkness

What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).

Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.

There is nothing inherently noble about working in IT.

Re:It's not shoe salesman vs IT, it's "one of us"

[jollyreaper]

Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks.

Back up a sec, money and women? Fuck, I knew I was doing something wrong!

Re:It's not shoe salesman vs IT, it's "one of us"

[tsstahl]

Redundancy, verification and limited power are the way to security, not hiring a wizard.

But the hats are SOOOO COOOL. Why else are drawn to this trade?

Re:It's not shoe salesman vs IT, it's "one of us"

[Kayden]

Yea, it's not a position where the members are inherently good and a paragons of society like being a priest.

Re:It's not shoe salesman vs IT, it's "one of us"

[nschubach]

You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.

Why not multiclass? You get the dex bonus to armor and all the other benefits of both classes!

Re:It's not shoe salesman vs IT, it's "one of us"

[AgentPhunk]

Make a lot of money, Keep it Legal, Like your Job. Pick TWO.

Re:It's not shoe salesman vs IT, it's "one of us"

[xenocide2]

Networks are more of a Clint Eastwood Western than a John Wayne Western. A group of thugs fighting over who gets to rob the town.

Re:It's not shoe salesman vs IT, it's "one of us"

[Ihmhi]

think about it. it's job security.

specifically code a flaw in the code that's hard to find. a few months later, sell out the exploit. go back to the client and say "wow, these guys are smart, i didn't even think they could do that." then make more money fixing the flaw.

lather, rinse, repeat, and most importnatly in these troubled economic times, stay in business.

it's like a window company driving around at night and putting bricks through shop windows.

Re:It's not shoe salesman vs IT, it's "one of us"

I don't think the IT crowd are necessarily more noble than anyone else. I do think however that we hold ourselves to a very high _ethical_ standard generally. We are privy to countless secrets, and the opportunities are there to delve into the secret online desires of our clients - without the knowledge of those individuals, unlike a psychoanalyst who can only work with what the individual offers of themselves. To see a breach of these ethics by one of our own is a slap in the face, not only because of that breach of ethics, but also the trust inherently given by the client is diminished.

Re:It's not shoe salesman vs IT, it's "one of us"

[mqduck]

Outside of the money and women

After 14 years of graduate school, Farnsworth settled into the glamorous life of a scientist: Fast cars, trendy nightspots, beautiful women -- the Professor designed them all working out of his tiny, one-room apartment.

You don't say!

[ethana2]

In other news, Confessed Botnet Victims are Windows Users.

Hear that sound?

[yttrstein]

That's the sound of 30,000 other security professionals simultaneously saying "no shit!"

15 what?

[furby076]

spent the past 15 working as a professional in the security scene

Common CmdrTaco... Months...15 months....

Re:15 what?

Common CmdrTaco. Your welcome

You're very welcome, uncommon furby.

Re:15 what?

Common CmdrTaco... Months...15 months....

As opposed to the Uncommon CmdrTaco?

the way things should ideally work:

[circletimessquare]

discover a security exploit and alert everyone: should get hero's reward

discover a security exploit and uses it, to harmless effect: should get thanks for discovery, a frown, and no reward

discover a security exploit and use it to, well, exploit: throw the book at him

unfortunately, it seems that all three classes of white, gray, and black hats get the same treatment

i'm not bringing the three classes up to argue leniency for the reprobate who made the botnet, i'm bringing up the fact that this guy is an example of someone who really should get punished severely, in contrast to gray and white hats who serve society and are unfortunately treated as the same class of criminal, when they are clearly not

this guy is the contrasting example of what a gray and white hat could have done with their knowledge, but chose not to. people need to be more aware of the valuable service gray and white hats provide

title/summary needs better grammar

[Vamman]

I'm not grammar queen but come on CmdrTaco! This one hurt my brain cell. I think I lost one =)

You really want a rape analogy?

[Cajun+Hell]

The analogy just doesn't work. When you look at how someone becomes part of a botnet, it's often a Windows user choosing to execute something. It's social, not technical, not force.

The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.

The guy's an asshole, probably a con artist and maybe a thief, but he's not a rapist. It's just not in the same league of injustice.

Re:You really want a rape analogy?

[MozeeToby]

The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.

No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink, drags her back to the car and rapes her. The next morning she knows that something is wrong, but can't remember a thing and so doesn't properly report it or deal with the consequences.

Re:You really want a rape analogy?

[Nick+Ives]

I'd view it more like raping someone with learning difficulties. Windows boxes often just don't have the capacity to say no or understand that what their doing might be wrong, they just lack that sort of basic awareness.

So it's more a case of someone asks a nice man for a lollipop but due to using Windows they can't tell if the man is really nice or indeed if that's really a lollipop.

Re:You really want a rape analogy?

[BrokenHalo]

Rape analogies are dangerous, but we could pursue this one:

(1) In most Western cultures, women who dress provocatively have been considered in their respective judicial systems to have contributed to their rape.

(2) Despite repeated "common-sense" warnings for avoiding being scammed on the internet, people still get sucked in by obviously fraudulent behaviour.

I'm not passing judgement on either, but the comparison is worth consideration...

Re:You really want a rape analogy?

[5865]

It's more like the rapists would always target the skirt wearers over the pants wearers because of the relative lower barrier to entry and the pants wearers would try to convert their skirt wearing sisters from their erroneous ways by calling them little sluts and being condescending.

What the pants wearers don't realize is that it takes a significant investment of time and effort to learn how to slip into a pair of pants for people who don't sew pants for a living. Thus, the skirt wearers would rather spend extra money on mace or pepper spray that they can operate with a push of a button in times of emergency.

Thing is, the pepper sprays leak into their skirts and whatever garments they are wearing underneath and leave them with a burning sensation and even then the skirt wearers would rather burn their coochies than learn how to slip into a pair of pants.

Re:You really want a rape analogy?

[CaptCovert]

Analogies that liken Windows users to someone with learning disabilities is so 10 minutes ago....

Re:You really want a rape analogy?

[Cajun+Hell]

No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink..

I just don't think that's a realistic analogy when we're talking about the internet, where the default expectation of foreign code is that it is hostile. In real life, sociopaths are rare enough that you don't necessarily have to wonder if this guy is Ted Bundy. On the 'net, you know plenty of people are out to get you.

At least make it, "A woman visiting a warzone on an alien planet, asks out what seems to be a man, but he shows up wearing an encounter suit. In plain view he drops a mysterious pill into her drink right in front of her, and says, 'try this; it's amazing!.'"

Re:You really want a rape analogy?

[RiotingPacifist]

Thing is, the pepper sprays leak into their skirts and whatever garments they are wearing underneath and leave them with a burning sensation and even then the skirt wearers would rather burn their coochies than learn how to slip into a pair of pants.

Unfortunately as they cant tell if its a lollipop, they get raped anyway without even trying to use the mace. Hell if they've been raped many times before they may not even realize its happening!

Grammar Nazi Says...

[amclay]

The title should have been "Confessed Botnet Master is a Security Professional."

Smart People

[blhack]

This comes from highly intelligent people not having an outlet for their intelligence. They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.

The engineer in all of us is going to go "What caused this? how can we fix it?". I don't know. Part of me wants to blame the schools. From personal experience, I know that some of the things my friends and I did in high school were illegal. The school system hated us. We were all failing out of class and constantly arguing with the teachers. School wasn't giving any of us an opportunity to get out there and stretch our intellectual legs. Naturally we gravitated towards breaking into the computers at the school.
I think that a good majority of slashdot probably has had a similar experience to what I'm describing.
Most of us did exceptionally well on our college entrance exams (good enough to get accepted with our horrible grades, at least) and some (not all) of us even tried going to college. College was more of the same. Failing classes, teachers that hated us, and breaking into the computers...
It was like a drug. The real world was boring, plain, predictable. Computers offered us a sandbox to play in that had things in it that made us work.
It is the same phenomenon that gets people addicted to WOW; WOW allows people the social stimulation that they don't (generally) find in the real world.

Re:Smart People

[schnikies79]

The only person that can be blamed is him. Not his parents, not the school, not society.

No one put a gun to his head and made him hack. Take some responsibility.

Ridiculous.

Re:Smart People

[CannonballHead]

Um. "Lack of intellectual outlet" is no reason to break into a school computer. Why didn't you and your buddies set up computers for each other to break into?

Or maybe it's more the "thrill" that people are looking for, and we like to attribute it to "intellect" because that sounds much less criminal and much less evil/wrong. We don't like being "wrong."

Re:Smart People

[ScentCone]

This comes from highly intelligent people not having an outlet for their intelligence

What a load of crap.

They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.

Yeah, if only this guy had lived in a world where it's OK to steal from other people's bank accounts. That would be a great world, wouldn't it? Just think how much would get done if nobody could trust a bank! Why, it would be a grand new society! And people who desparately need the "outlet" of stealing things from other people in order to feel good about themselves would finally be able to live a more peaceful, happy life.

Um, unless the fact that there's no risk, and no longer any chance to be the guy weilding technology with malice makes it no fun anymore, right? How many vandals would there be if there was no cultural care about destruction of property? Without the thrill of screwing someone else out of their time, property, and efforts, what's the point? Right. The point is the power trip and the pleasure from destruction and getting away with something. That's why guys like this would still be rotten even if there weren't computers and networks. You think he's highly intelligent and just being kept by his evil school from using it? Are you really one of these people that thinks it's up to the schools to amuse everybody according to their own individual tastes, level of boredom, and lack of enough imagination to do something outside of school to keep busy and interested?

Re:Smart People

A lot easier to break into a store without breaking any physical objects. It's still not allowed but when only people like yourself can find you and understand how you broke in... well then it's more of one dude doing whatever he wants with the off-chance that there might be somebody smart enough to understand what was done and there might be somebody smart enough to find him... key word "might". Video cameras and security guards have a much better chance at catching the guy breaking in the door and taking watches vs this guy that is nearly invisible, unobtrusive, non-destructive, and sly.

Throw him away for one year for every time he had a bot... I'm sure after the 3rd the only other exciting bots he made were the 100th, 1000th, 100000th, 150000, 200000, and then the last one...

Put him in jail for at least how long it took him to create that network...

Re:Smart People

[thePowerOfGrayskull]

e engineer in all of us is going to go "What caused this? how can we fix it?". I don't know. Part of me wants to blame the schools.

Not really. I blame him. He's the only one responsible for the decisions he has made.

Re:Smart People

[blueg3]

They guy is a painter that lives in a world where paint has been banned.

Since when has paint been banned? It's illegal to hack others' systems, yes. Likewise, it's illegal to break into other people's houses, etc.

It's not illegal to break into your own systems, uncover vulnerabilities, etc. While I suspect at least someone will claim you can be sued or go to jail for finding software vulnerabilities, people do it all the time. They're computer security researchers. (Some of them even have their own botnets, but not using others' machines -- that is beyond the hobbyist level of investment.)

There are plenty of productive ways for him to have challenges, even within the same field, without resorting to illegal and unethical acts.

Re:Smart People

[Opportunist]

Sorry, but no, sorry.

I'm also a painter in the world where paint is banned. Exactly the same situation. Yet paint is not entirely banned. You can get some from people who hand it to you to paint them a nice picture. Or, to get away from the metaphor, you may hack any server whose admin hires you to do just that.

Re:Smart People

They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.

No, he is a guy who was trying to rip off people's personal information for personal gain. Which, gratefully, is banned in this world.

Part of me wants to blame the schools.

This is the primary flaw in your argument. There is no one to blame here. He is the only one to blame here. He made a choice to commit a crime and is accountable for it. I grew up with a much more "deviant" childhood than what you described. I do not commit these crimes because I choose not to. It's to no credit of the schools, organized religion or any other bullshit. I CHOOSE not to do these things.

Re:Smart People

[CAIMLAS]

Oh, he's fully responsible for his own actions.

Just as the people who were exploited are responsible for having been exploited. Their own damn fault.

No, that is not a contradiction. You'd get fired if you, as a security professional, were responsible for the network and it got taken down, would you not? Same kind of thing with those he exploited. Responsibility is responsibility, regardless of scale.

(Note, legal fault/responsibility is different than personal responsibility, obviously.)

Re:Smart People

[ceoyoyo]

Or you're welcome to set up your own server and hack THAT.

This guy is a painter who insists on painting only on old masterpieces that he's stolen from museums.

Re:Smart People

[Opportunist]

If you're REALLY good and REALLY smart there is some really good (and legal) money in being a hired hacker. Get a contract, start working.

Actually, it's the crappy hackers that end up like this asshat. Sure, it's easier to hack machines that were never meant to be secure (like, say, the average home user Windows machine). I actually refuse to call it a "hack", but he sure is a hack.

Devine Comedy

[0100010001010011]

Well he's already on path for the 8th or 9th circle of hell.

8th Circle:
Bolgia 8: Fraudulent advisors are encased in individual flames.

9th Circle:
Round 2: Antenora is named for Antenor of Troy, who according to medieval tradition betrayed his city to the Greeks. Traitors to political entities, such as party, city, or country, are located here.

Re:Devine Comedy

[Chaos+Incarnate]

But that's just the normal Hell. Doesn't he deserve the special Hell, along with child molesters and people who talk in the theater?

Re:Devine Comedy

[frosty_tsm]

"Well isn't that... special."

Re:Devine Comedy

[Arcane_Rhino]

Great series. +1 cool mod for legitimately working the phrase into the thread.

Re:Devine Comedy

[hesaigo999ca]

Played lots of D&D when we were young I see!

Re:Devine Comedy

[Cowmonaut]

No, he didn't.

70 years for MacKinnon?

[gb7djk]

So prosecutors are asking for 5 years for stealing 1000's of bank details by a professional security consultant. Yet for that dastardly foreigner (MacKinnon) and complete amateur that embarrassed the military and did not steal or actually damage anything other than the US Government's pride with his dial-up modem - he is in line for 70 years. Is it just me or is there something wrong here?

Re:70 years for MacKinnon?

[tnk1]

No, the lesson is, you shall not fuck with the military. They are in the habit of hurting back. It doesn't help that the military is generally in the habit of hurting foreigners and MacKinnon is a foreigner.

I mean really, if you tried to hack into the Russian Army's or Chinese PLA's databases, what do you think would happen to you if they could get their hands on you, or even if they couldn't (read: ricin)?
 

Re:70 years for MacKinnon?

[mandark1967]

Think of it in this context

If my 5 year old takes my 3 year old's toy he gets less punishment than if I caught him stealing from some other family. That's not bias. That's common sense.

If the role was reversed, I'd hope that you blokes in the UK would ream the hell out of a 'mercan who gained unauthorized access to your defence establishment's network.

Re:70 years for MacKinnon?

[gb7djk]

I would hope that he would be treated in the same way as everyone else. He would be prosecuted under the Computer Misuse Act (1990) and he would get 2 or 3 years.

The sad part is that he committed the offences in the UK and should prosecuted here. If he were a US citizen, accessing the UK military, he would be prosecuted in the US (and get 2 or 3 years for poking about looking for "secret" UFO info).

The only reason that he is being extradited in this way is because the US can request it, without showing any probable cause, and the treaty is retrospective.

The treaty is designed to allow easy access to "terrorists", but has overwhelmingly been used for white collar crimes (eg Enron). Whilst the US can request extradition for whomsoever they decide, the reverse is not true for the UK.

Re:70 years for MacKinnon?

[jjohnson]

Why would the UK sign an extradition treaty that only goes one way? That seems dumb.

Re:70 years for MacKinnon?

[dbIII]

That is the price of trade deals with the USA.

Re:70 years for MacKinnon?

[gb7djk]

Dunno. Too supine or there was a gun held to its head. We won't find out for at least 30 years (and then only if we are lucky and the reason is not too embarrassing to be embargoed for 50 or 100 instead).

But it is as it is. The US can extradite from the UK without probable cause even if the alleged offence does not exist in English Law or even if the offence was committed in the UK on UK people.

No, I expected him to be a securities manager

[swb]

...or maybe that will be his new career. They could use a man of his honesty in that field.

Linkedin Profle?

Is the the same guy whose linkedin profile is here:

http://www.linkedin.com/ppl/webprofile?action=vmi&id=12553940&authToken=bUKc&authType=name&trk=ppro_viewmore&lnk=vw_pprofile

I'd start using a middle name if I had the same first and last names and was employed in the same city as this guy.

Doesn't speak well for his employers' due diligence either....

This FP for GNAA

NNed to join the

Fixed it

[DeanFox]

"Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

How the tables turn. Now it's Schiefer who's going to be told, "You're my bitch now, I claimed it".

-[d]-

"...who in last 2007..."

[spikejnz]

Are we expecting another 2007? One can surmise that he most certainly did not set this up in 2007 BCE. Or did he?!

Re:"...who in last 2007..."

[ALF-nl]

2007 is soooo two years ago!

Whyy doesn't this seem surprising?

[rwwyatt]

I wonder just how many security "professionals" are actually ethically compromised. When there is a conflict between money and ethics, money usually wins.

Re:Whyy doesn't this seem surprising?

[spikejnz]

I'm telling your employer! ...then again, you'll likely get a raise and a corner office.

Re:Whyy doesn't this seem surprising?

[Shadow-isoHunt]

Who's ethics, your's or mine?

Re:Whyy doesn't this seem surprising?

[CaptCovert]

We call those guys 'management'.

To bad He didn't Download Two Songs Off the...

[Il128]

Internet. If he had he'd be facing ten years and a half million dollar fine.

Re:To bad He didn't Download Two Songs Off the...

[VillageDolt]

Say he was convicted of "sharing" 250,000 songs instead, then he would be facing 1,250,000 years?! Since botmasters like this guy drive up costs for most PC users by them purchasing security software (or using/switching to linux), I would say 10 years minimum would be appropriate.

Devil's advocacy...

[BrokenHalo]

There's some skill involved and you have to know details about vulnerabilities and how to exploit them.

Indeed. Many moons ago (back in the early 1980s, when "IBM PCs" were still new and beginning to be affordable) I was a security consultant to a certain large technology company not far west of London. Part of my brief was to write aggressive self-replicating routines in an attempt to disrupt crackers' activities. Thus I might claim credit for a few of the earliest viruses, but that's not really my point, which is that in those days work like this was done in assembly code, and as such was reasonably challenging. I was quite proud of it for that reason.

I haven't kept up with this particular technology, but I gather viruses such as these are a lot easier to craft now, particularly since users don't typically notice small (or even large) drains on resources any more.

Regardless of whether or not one admires botmasters' motives (and I don't) crafting botnets on a large scale has a certain "cool" factor, since there is quite a lot of work, skill and even artistry involved in setting them up.

Re:Devil's advocacy...

[CAIMLAS]

Regardless of whether or not one admires botmasters' motives (and I don't) crafting botnets on a large scale has a certain "cool" factor, since there is quite a lot of work, skill and even artistry involved in setting them up.

Absolutely. Just for shits and giggles, a friend and I crafted an autonomous botnet engine, where each node could (and did) serve as a limited master, automatically negotiating master in a similar fashion to how human group psychology would dictate. It has a very low network signature due to how it communicates and infects, and the primary 'design goal' was to make a worm which could propagate (ie no payload).

We never released it, but we did it because it was fun. It was like playing chess, in a sense.

Don't insult our intelligence...

[argent]

This comes from highly intelligent people not having an outlet for their intelligence.

Say *what*?

You're insulting all the smart people who found an outlet for their intelligence, especially those of us with spotty academic records who somehow managed to avoid turning into criminal bullies. Maybe it's not "society's fault" after all?

"I'm not saying that they're right

[circletimessquare]

but simply their perspective is narrower and maybe even biased."

i will say without a doubt that they are flat out wrong

the issue here is the scantily clad woman getting raped, and the clueless computer user getting hacked: are they to blame for their plight? no, they are blameless

sure, if they dressed like prudes and they surfed from a tor proxy, they wouldn't be in the plights they are in. but that offers up no lessons on the issue of repsonsibility. you can cause something, but not be responsible for something. likewise you can be responsible for something, even though you didn't cause it

for example, if i call a guy an idiot on the internet, and the guy stabbed me, i caused the guy to stab me, but the guy who stabbed me is the responsible party, not me. he committed the transgressive crime. blaming me in any capacity is morally incoherent

to believe otherwise is to not believe in personal responsibility. responsibility for a situation always falls on they who commits the gravest transgression, according to any cohesive moral code. and simply wearing skimpy clothes, or being clueless about computers, is but a minor foible compared with rape or hacking

to not understand this about morality is to not understand much about morality at all

Re:"I'm not saying that they're right

[clone53421]

for example, if i call a guy an idiot on the internet, and the guy stabbed me, i caused the guy to stab me, but the guy who stabbed me is the responsible party, not me.

I'd like very much to see the specs on that stabbing-over-the-internet protocol...

Re:"I'm not saying that they're right

[WTF+Chuck]

Forward those specs to me when you get them. I have a few beta test subjects in mind.

Re:"I'm not saying that they're right

[clone53421]

When I get them, you'll be the first to know. Just listen for the horrible screams coming from the cubicle across from you.

Re:"I'm not saying that they're right

[WTF+Chuck]

Well hell, there goes one of my beta test subjects.

Re:"I'm not saying that they're right

[clone53421]

Sorry about that. But hey, at least you'll know it works.

Sith Lord

[Ukab+the+Great]

"Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam

Always two there are, a master and an apprentice.

Meet the new days, just like the old days

[nathan.fulton]

"Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first."

In all likelihood, the culprit is a former pimple-faced highschool kid who used to dial into machines with his Commodore 64.
The crackers grew up. Some of them moved on, some of them didn't.

not too dangerous

I'd rather have 250 virtual thefts than a single forced entry theft.

What this guy didn't do is cause extreme emotional stress that a normal burglary would. This guy needs minimal jail time if any, and then some public service. The guy isn't exactly stupid, put his talents to use.

Re:not too dangerous

[WTF+Chuck]

Yeah, no stress at all when you start getting tons of overdraft charges/notices from your bank because some asshat emptied your bank account without your knowledge. Oh yeah your rent/mortgage/whatever is due a couple of days after you find out, and at the start of a holiday weekend at that.

At least with a regular burglary, or hell even a bank robbery, I know that the money I have in the bank for taking care of rent, bills, fixing/replacing shit because of the burglary is still there. Now if I was home at the time of the burglary, then I would be more worried about cleaning up the bloody mess made when dealing with the intruder, (yes, it is perfectly legal to shoot home invaders where I am at).

I know John.

John helps run awknet.com.

lol? Virtual crimes with real life punishment!

The funniest thing about this, is someone is going to jail and half of slashdot is calling to "burn him" for pushing buttons on a keyboard.

A kid somewhere in the world, sitting in front of a computer, pushing some keys on a keyboard. And now he's going to jail.

el oh el internets.

holy mangled syntax, batman!

[jollyreaper]

"John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing.

Even worse, I hear the submitter has been working the past 15 months as a professor of English language while awaiting sentencing for negligent grammarcide.

Why call yourself an editor?

[Slash.Poop]

John Schiefer, the Los Angeles security consultant who in last 2007 admitted

John Schiefer, the Los Angeles security consultant who, in 2007, admitted

In all seriousness...

[CarpetShark]

From TFA:

Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society.

From your comment:

...the US prosecutor could just allege that he's capable of starting World War III...

In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.

Re:In all seriousness...

[HTH+NE1]

In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for.

Yeah, I'm not sure why I'm getting Funny mods for referencing the treatment of Kevin Mitnick either.

Re:In all seriousness...

From TFA:

Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society.

From your comment:

...the US prosecutor could just allege that he's capable of starting World War III...

In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for...

As the kids like to say: "Woosh".

2 Sides to the coin

[PingXao]

If I was relatively ignorant of security matters there's no way I'd let this guy anywhere near my systems. On the other hand, knowing what I know, this is exactly the guy I'd want for the job. I'd insist, of course, on detailed information about his actions, that I could audit myself if need be. I'd much rather have someone who knows what they're doing than some of these security outfits who are basically charlatans.

I Drink Your Milkshake.

[CompMD]

You've got your computer over there, and I've got my computer over here, and I have a looooonnnnggg series of tubes connecting my computer to your computer. Your computer has your bank account information in it, so through this long series of tubes, I go into your computer and take your bank account information...

"Pushing some keys" my foot.

what?

[circletimessquare]

you've never heard of a blade server?

I may be the only one but...

[Castletech]

I am actually impressed he had a 250,000 strong botnet. Sure cracking bank passwords is bad, but not really. No one get's physically hurt, banks are insured, no guns, and no police chase after the getaway car. Someone steals your pin and withdrawals your account it's not like you are screwed for life. It's not like the money is even real or the bank can just undo the changes. Your money is numbers on a screen and sometimes paper representing numbers on a screen. I give this man credit for finding a safer way to rob banks. Saying the man deserves some kind of lynching or any other type of strange punishment is nuts.

Re:I may be the only one but...

[plnix0]

You're exactly right about the money not being "real". Then again, paper "money" isn't any more real either. The guy is still a thief though, if he did actually use the info to steal money from people's accounts, even if they do hold only fake money. As robbing banks is wrong, finding a "safer" way to do is of course still wrong, but the punishment should be proportionate to the crime.

Advice.

[Cytlid]

Don't.
Be.
Stupid.

It might be slightly trickier than that

[I)_MaLaClYpSe_(I]

Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.

So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.

Now you still do not have a botnet, still far from it but closer.

No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.

And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.

That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.

Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?

Now, you still do not have a botnet!

For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?

And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.

But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.

Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.

Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are

Re:It might be slightly trickier than that

[TheRealMindChild]

The fact that you put that kind of time into such a reply is rather sad. You are playing up something that is way simpler than you want anyone to believe. Maybe you have your own botnet that is falling apart at the seams. I have no idea. My reply was a kneejerk reaction to someone who ALSO tried to play up how "hard" it is to successfully exploit a Windows machine.

You know what it takes to create a botnet? Throwing a torrent up on thepiratebay.org something along the lines of "Windows XP SP3 Corporate Edition WGA cracked" or "Adobe Photoshop CS4 Keygen". What is even sicker about this vector is, you might actually deliver what you are saying they would be downloading. Hell, you don't even need to be programming savvy. Hide your code in DLLMain of any random DLL on the machine (MFC or VB6 virtual machine DLLs are possibly a good choice). SIMPLE stuff. It may sound complicated until you actually do a Google search and see the code. And that "DLL Injection" you swore was "so hard"... you can either use "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"/CreateRemoteThread/SetWindowsHook(Ex) and/or a Browser Helper Object that has become ever so popular. All easy-to-understand Google-search-away crap. Coordinate over IRC/Usenet/Tor/web forum/comprimised ftp site/already exploited zombie pc/whatever.

I could go on and on, but I think I said what needs said. If you think it takes "writing your own SMTP engine in assembly", may $GOD$ help your children.

Special Hell. Obligatory.

[Erris]

He worked for banks, you can't get much more special than that. Windoze hell hole for sure. In jail, he will meet more honest criminals. Now for the obligatory bad joke.

In Soviet Amerika, banks call you threat to society.

We now return you to your regular program, where your retirement is worth 1/4th of what it was 8 years ago and you are soon to be fired like all the other worker bees.

Warning: Known sockpuppet/troll

User maintains more than a dozen sockpuppet accounts on Slashdot.

Punishment proportionate to the crime?

[plnix0]

How about making the punishment actually fit the crime? I've always thought the most just crime for theft is not prison, but as stated in the Bible, "if the thief be found, he shall restore double". Most importantly, the victim actually gets compensation for what was stolen, plus some for his trouble. This is a just compensation which actually benefits the victims of a crime. Far more so than locking the guy in jail, especially for a crime which is not imminently violent, is.

troll mod

[Gary+W.+Longsine]

Your theory on the troll mod is total bullshit. Most of us IT security guys here have been modded "Troll" so many times that we haven't seen mod points for years, and will never see them again, despite "Excellent" karma. Like every other troll mod here, very special idiot moderators with unlimited mod points are probably to blame, along with other random idiots who just happened to have a few mod points now and then.

Re:troll mod

[Ethanol-fueled]

Fuck the moderators. Those idiots are dumb as shit.

Hey you...yes, you with the shit-eating douche-grin. Gotta few points? Oh please do waste some on me while you're at it, fuckface!

What you really need to know

The real info about his case from the DOJ: http://www.usdoj.gov/criminal/cybercrime/schieferCharge.pdf

His sentencing has been postponed twice. Currently scheduled for sentencing on Feb 25, 2009.

Currently working as the only system and network administrator at an LA start up that is a search engine/social networking company. If you've ever watched or listened to Love Line, think Adam Corolla and his famous saying before they close the show and that's the place you may want to check your bank account if you use them, as they are heavily integrated with paypal too. I would use a different search engine at least until the fire they guy and secure their network. You may want to check your Amazon S3 as they use that service.

I don't know about you, but a guy like that should not be allowed to work in IT while awaiting sentencing or after sentencing. Also, the company he is working for, knows who he is and is choosing to keep him as the system admin. They believe he is reformed.

But the worst part of the whole thing, that company shares an office space with another company who has like 20+ employees and they all share the same network, and they have no idea he's in there! good luck to you people who share the office and network!

How do you propose to do that?

[Moraelin]

Actually, here's a fun thought:

1. The people in prisons score on the average over 20 on the antisocial personality disorder scale, which is to say you have a spectrum ranging from borderline sociopathic to outright psychopaths. A normal person scores 2-3.

2. There is no known way to turn a sociopath into a normal person. Trying to psychanalyze them just teaches them to fake the answers that will hide their callousness better.

3. Showing one the damage he's done and the people whose life he's destroyed... does nothing whatsoever, since a sociopath doesn't give a fuck about other people in the first place. They live in a single-player world, with them as the player and the rest being about as important or empathy-worthy as the NPCs in <insert MMO or RPG>. You can lie to them, manipulate them, cause all the harm you can get away with, whatever advances your quest or keeps you entertained. It doesn't matter, they're just NPCs. That's the kind of world a sociopath lives in. It includes even their own children, not just strangers who downloaded a virus.

4. They have a tendency to not have a sense of personal responsibility. They'll just shift the blame to someone else (e.g., the victim for being too stupid to download a virus) or rationalize it in any other way.

So, seriously, if you know some way to "undo" sociopathy, by all means, we'd all be very interested to hear it. But otherwise let's bury the retarded idiocy already that prisons should be some touchy feely school in respecting other people's feelings. These guys just can't do that.

The only thing they do understand is, basically, "let's not do something that will get me locked up for good". Well, some of them. Turning it all in just a slap on the wrist and some pouty "you've been a meanie and upset people" lesson will just remove that deterrent too.

Re:How do you propose to do that?

[CarpetShark]

The difference between you and me is that you would judge these people on how they are now, and deem them irreparable. I would judge the society that made them that way (including attitudes like yours, I'm sorry to say), and judge it in dire need of change.

But we have fundamentally different views, so let's not get into a long argument about this. I see where you're coming from and respect your intent. I just don't agree at all.

Re:How do you propose to do that?

[Moraelin]

Look, I'm not going to say that they're 100% irreparable. I'm saying that a lot of psychologists and psychiatrists tried to repair them, and nothing worked. I'm saying that

A) we _don't_ _know_ how to repair them, and

B) if there's a way, it's certainly not as simple as pouting and showing them the people harmed. That's been tried, it never worked. I fail to see how repeating that we should try that again is going to make any difference.

Re:How do you propose to do that?

[CarpetShark]

Whether nothing worked is highly debatable. There have been many people over the years who've reformed there characters. I've no doubt there are modern cases available if you look, and I could even point you to stories of reformed characters that go back over 2500 years -- Angulima, for instance, who was a serial killer who wore body parts as a necklace, according to the accounts. Whether you choose to consider these anecdotes is up to you, but I think it's much less scientific to be a person who discounts human stories in discussions about the human condition, than to be a person who considers them.

Re:How do you propose to do that?

[Moraelin]

1. Yes, we have a bunch of _stories_. It's been a popular subject for novelists, playwrights, myths, etc, because we all _like_ to believe that everyone is the same, and the scary criminals out there can be turned good by just appealing to their humanity.

It's like why crucifixes or garlic are supposed to help against vampires, a bit of iron helped against the sidhe (elves), silver keeps werewolves at bay, and why bringing offerings to the tribal totem was supposed to help you get a good hunt and keep you from getting eaten by a wolf. It's a scary thought that it's all a big crapshot and something or someone could terminate your life, without any "saving throw", just because you were in the wrong place at the wrong time. So for all dangers -- real and imaginary alike -- we've invented some bullshit defense. Just carry a bit of garlic with you against vampires, a bit of iron against the sidhe, and remember to appeal to the killer's humanity. Heh. Snake oil at its finest.

We have no scientifically documented cases of anyone who stopped being a sociopaths. So if your being "scientific" is believing myths and legends, well, you might have a nasty surprise at some point.

What we _do_ have, though, is people realizing "man, if I don't stop, they'll hang me". Or "lock me up for life." That's why, say, three strike laws actually made a heck of a difference.

What we also _do_ have is people who, basically decide to take it all with them, or rather blow their ill gotten gains on something that will get them remembered. Sort of like Bender building a giant monument to himself in that episode. So sociopathic robber barons in their old age blow most of their wealth on some charity or such, to carry their name for another century. But, here's the fun part, while being still just as ruthless to their workers, business partners, etc. Downside, that tends to only work for guys who managed to rob a few billions, not for small fish like this one.

In effect, all that can happen is the sociopath putting on another _mask_, if you can give him enough of a reason to. Elliminating the disincentive not to, well, I fail to see how that'll help.

2. Well, let's return to this case, and how much humanity he's shown so far.

At some point when one of his script-kiddie apprentices got second thoughts, do we see this guy thinking, "hmm, maybe he's right"? No, we see him telling said apprentice to "stop being a bitch."

And let me remind you that he has actually _seen_ the effects of his actions, because he was consulting for security to the same people. He _saw_ the havoc and stress he created, first hand. Then stole their passwords and pwned their machines.

Do I believe that he'll get reformed by seeing it one more time? Not bloody likely, I would say.

Re:How do you propose to do that?

[CarpetShark]

Yes, we have a bunch of _stories_.

Which is all we ever have, since nothing is certain, and science does not prove, but only theorises and disproves.

It's been a popular subject for novelists, playwrights, myths, etc,

Perhaps you need to ask WHY this has been such a popular subject.

because we all _like_ to believe that everyone is the same, and the scary criminals out there can be turned good by just appealing to their humanity.

Because, contrary to what you suggest here, history has shown that people like to demonise others; to pretend we're all different, that we could not possibly act the way that other person has acted, and that we are therefore justified in taking away their rights, enslaving them, gassing them, or locking them up. Kind of like you're doing right now, sadly. In fact, I could argue that your attitude to other human beings is downright psychopathic too:

a psychological gratification in criminal, sexual, or aggressive impulses

There's certainly an aggression and hostility in your attitude towards so-called criminals.

and the inability to learn from past mistakes.

Can't even acknowledge that the prisons are filling up, more crime is being commited than ever before, that your hate only generates more hate, etc.

I know which side I'd rather be on.

Re:BURN HIM! - Still Working as a Sys Admin

If you want to real story on his case just look up the DOJ release No. 08-043

Sentencing has been postponed twice, now scheduled for FEb 25, 2009.

Currently working as a system/network administrator for a Santa Monica startup, they are a search engine/social portal(hint: hawaiian word for thankyou). If your not using the usual google/yahoo/msn. be careful!