Confessed Botnet Master Is a Security Professional

An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."

BURN HIM!

[erroneus]

He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.

Re:BURN HIM!

[HTH+NE1]

He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment.

Well, the US prosecutor could just allege that he's capable of starting World War III if given an opportunity to whistle into a telephone to get him thrown into solitary confinement. It might even be more believable than the last time they used it successfully.

Re:BURN HIM!

[Lumpy]

you were modded troll probably because many of the It security guys here don't want to be lynched when they get caught for their dirty deeds.

I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.

Re:BURN HIM!

[Sfing_ter]

no a small netgear 8 port router with all the cables plugged in we 8 ports + 1wan = cat-o-9 tails :D

Re:BURN HIM!

[wastedlife]

CAT5-o-nine-tails?

BANKSTER wannabe

He should have worked in finance. There it's expected for you to loot the company safe and walk away with billions of dollars. Leaving a burning building behind you taxpayers footing the bill for cleaning it up is absolutely expected. Big career path mistake on his part. Perhaps while in prison he can study for his MBA and open a hedge fund on release.

Re:BANKSTER wannabe

[Ihmhi]

Slashdotters have alts?

What, were you bored with your original account and decided to roll a shammy?

This should come as no surprise

[htnmmo]

Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.

Did you expect him to be a shoe salesman?

This is like that guy from the Gaming Control board that was cheating slots.

Re:This should come as no surprise

Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

I'm sure every shoe salesman reading this knows exactly what you're on about.

"in last 2007"

[nedlohs]

As opposed to the 2007 before that?

Disgraceful

[DeadPixels]

While I'm not surprised that it was someone heavily involved in the field, as a future security professional myself, I'm rather ashamed that this man's greed won out over his ethics.

Re:Disgraceful

[Opportunist]

I am in the field, and I'm not ashamed for, but fuckin' angry at him.

I keep talking 'til I turn blue to squelch the rumors that AV researchers spread malware themselves to have a reason to exist, we get that crap anyway. We try to hunt down asshats like that guy. And then, usually when you finally got at least part of the population to believe that you're actually out to help them, someone like him comes along and ruins it. For all of us. Try to build up trust when you hear that the person that claimed to help you actually was the one that infected you!

I am, quite bluntly, insanely pissed at the guy.

I miss the old days

[MillionthMonkey]

Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.

the past 15?!?

[gEvil+(beta)]

...says he's spent the past 15 working as a professional in the security scene...

Oh my God! Only the past 15?!? I've already spent the past 120 perusing slashdot.

Hint: qualifiers matter.

Being sexually abused is a mitigating factor?

Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

Re:Being sexually abused is a mitigating factor?

Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
(not an excuse).

Re:Being sexually abused is a mitigating factor?

[blair1q]

His future is going to look a lot like his past, then.

Re:Proofreading? What's that? :p

A little professionalism, please? KTHXBYE

I don't even know what to do with that...

15 months, not years

[immakiku]

Needs to be clarified is that this is 15 months he spent waiting for punishment, not 15 years. And the lenient sentencing is because he ultimately did not cause much damage.

insanity defense ..

[rs232]

"An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work"

Re:Substantial Threat to Society?

[MozeeToby]

What about the woman that gets raped on the street? Isn't she partly responsible for the rapists behavior?

Come on people, quit blaming the victim; especially when the victim is an average person (as is evidence by the sheer size that many botnets reach).

From your Friendly Security Professional

My professional opinion is that Internet Explorer is a fast, reliable, and safe web browsing platform.

Also, make sure ActiveX is turned on. It's important for your safety.

Re:Substantial Threat to Society?

[Beardo+the+Bearded]

According to /. logic, if she didn't want to be raped, she should have closed her ports.

It's not shoe salesman vs IT, it's "one of us"

[Wrexs0ul]

I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.

Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.

-Matt

Re:It's not shoe salesman vs IT, it's "one of us"

I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.

Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.

Re:It's not shoe salesman vs IT, it's "one of us"

"Good? Bad? I'm the one with the gun." - Ash, Army of Darkness

What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).

Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.

There is nothing inherently noble about working in IT.

Re:Substantial Threat to Society?

[Comatose51]

Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.

Re:Substantial Threat to Society?

[Ephemeriis]

What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?

Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.

Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.

Just because someone didn't patch their computer doesn't mean it's OK to exploit those vulnerabilities. It's a weak point in the computer's security, not an open invitation. Are you suggesting that it's OK to break into someone's house because the windows are fragile?

Creating a botnet from zombied computers is no trivial act. Simply exploiting a vulnerability takes some time and effort. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.

70 years for MacKinnon?

[gb7djk]

So prosecutors are asking for 5 years for stealing 1000's of bank details by a professional security consultant. Yet for that dastardly foreigner (MacKinnon) and complete amateur that embarrassed the military and did not steal or actually damage anything other than the US Government's pride with his dial-up modem - he is in line for 70 years. Is it just me or is there something wrong here?

Re:You really want a rape analogy?

[MozeeToby]

The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.

No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink, drags her back to the car and rapes her. The next morning she knows that something is wrong, but can't remember a thing and so doesn't properly report it or deal with the consequences.

Re:Smart People

[schnikies79]

The only person that can be blamed is him. Not his parents, not the school, not society.

No one put a gun to his head and made him hack. Take some responsibility.

Ridiculous.

Re:You really want a rape analogy?

[Nick+Ives]

I'd view it more like raping someone with learning difficulties. Windows boxes often just don't have the capacity to say no or understand that what their doing might be wrong, they just lack that sort of basic awareness.

So it's more a case of someone asks a nice man for a lollipop but due to using Windows they can't tell if the man is really nice or indeed if that's really a lollipop.

Re:Devine Comedy

[Chaos+Incarnate]

But that's just the normal Hell. Doesn't he deserve the special Hell, along with child molesters and people who talk in the theater?

holy mangled syntax, batman!

[jollyreaper]

"John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing.

Even worse, I hear the submitter has been working the past 15 months as a professor of English language while awaiting sentencing for negligent grammarcide.

In all seriousness...

[CarpetShark]

From TFA:

Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society.

From your comment:

...the US prosecutor could just allege that he's capable of starting World War III...

In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.

It might be slightly trickier than that

[I)_MaLaClYpSe_(I]

Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.

So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.

Now you still do not have a botnet, still far from it but closer.

No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.

And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.

That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.

Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?

Now, you still do not have a botnet!

For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?

And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.

But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.

Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.

Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are