Slashdot Mirror
Arizona Botnet Controller Draws 30-Month Federal Sentence
dgharmon writes with word from the BBC that "A U.S. hacker who sold access to thousands of hijacked home computers has been jailed for 30 months. Joshua Schichtel of Phoenix, Arizona, was sentenced for renting out more than 72,000 PCs that he had taken over using computer viruses." Time is cheap: Schichtel admitted to giving access to those 72,000 computers for $1500.
How about that !!
Should have incorporated his criminal enterprise into a bank. Then he wouldn't serve any time and the government would bail him out for business expenses. It's rather silly to commit individual crime when corporate crime pays more and there's usually no time served.
#fuckbeta #iamslashdot #dicemustdie
So, about 15-20 minutes for every PC infected? That's rather cheap, compared with sentences in cases concerning corporate network intrusions.
Just considering the personal information that could be stored on those machines and possibly accessed by someone with the intent of ID theft. It should have been a month for each machine compromised.
Just considering the personal information that could be stored on those machines and possibly accessed by someone with the intent of ID theft. It should have been a month for each machine compromised.
Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?
"Maybe this world is another planet's hell"
Aldous Huxley
Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?
In fairness, this had nothing to do with identity theft. He literally just rented out time on a "stolen" supercomputer, of sorts.
Still doesn't make him less worthy of giving Grandma one free whack at him, but I wouldn't really consider him as all that bad, as that sort of scum goes.
This is how Daily Mail readers really think.
He provided access to PCs with the only purpose being to engage in an illegal activity. That is quite a bit different than an ISP offering a service that is abused by one of their clients. I do see where you are coming from with your response, I just do see how they could be considered the same thing.
The computers do have access to the information contained on them so he did put the owners of those machines at risk. Knowingly.
Almost all enabling crimes require intent.
Having said this, I'm of the fairly unusual opinion that anyone who subjectively recklessly profits from someone with should be jointly liable. Put another way, if you accept a gain from someone who you think may be misbehaving, you accept the risk of loss too.
minimum-security prison is no picnic. I have a client in there right now. He says the trick is: kick someone's ass the first day, or become someone's bitch. Then everything will be all right.
NO This is how most people think, screw with me or mine and i reserve the right to return the favor with interest.
There is a demand for distributed computing. A general purpose SETI@home w/ internet access. If only the operating systems were secure enough to allow individuals to join such a network and give arbitrary control to strangers they could earn a small profit by selling some amount of their unused bandwidth and CPU power. We could actually monetize all our idle CPUs and unreached bandwidth caps. A more sandboxed solution -- like the aforementioned SETI or Folding@Home, etc -- could be marketed by legitimate businesses. It seems a logical conclusion given our need for always on home (media/status) servers to stream our digital properties to us, and the success of "cloud computing".
Unfortunately the law is also not on our side: What if a client uses your Cloud@Home 'server' to download and redistribute "illegal" material? (The same as if a bot-net operator directs your machine to do so today.) We need to address the issue of identity (IPaddr != person) if my distributed machine intelligence system is ever to make the Internet self aware... So long as we would pay it enough to solve hard problems it could pay for it's own distributed computing rent.
With the state of computer security being utterly insecure at nearly every juncture, and our unwillingness to fix the legal risk of us meeting the demand for affordable distributed computing, I think it's only natural that such is done illegally. Do you really want the first global sentient machine intelligence to be a rogue bot-net system? That will surely escalate to (cyber) war. I'd much rather have it be a peaceful, profitable and legal entity. Sadly we'll have the lawyers and lawmakers to blame for bringing about the first man vs machine war.
I could have posted this to the freedom of speach vs child porn story as well.
Definitely agree, unfortunately it can be difficult to prove knowledge of the first party's intent.
The more I read your comment, the more I want to ask your opinion of Mr. Schichtel's technical knowledge. I was not implying that he intended the access to result in identity theft. I said it was possible, that the purchasers of the system could use it for more nefarious purposes than having "time" on a "supercomputer". If he was capable of acquiring the botnet to begin with, there is not a lot that could convince me that he was not aware that the access to the individual machines could yield personal information about the owners of them.
If someone sold access to a database that had your credit card information in it, how would you feel? They could have sold it so people could harvest the email addresses only. It still provides access to the additional information.
I think the answer should be the same as in "Shall illegal arms dealer get charged with being accessory to murder/robbery/etc?" and I think legally it's a no.
Until someone thinks you screwed with them, or the family of the person who screwed with you thinks the same as you.
The whole world will be left blind.
It more than an enabling crime. In order to have a botnet, he first had to infect all those machines with a virus that pointed to his command & control machine. That in itself is criminal.
And besides the ID theft considerations, there's also the millions of spam emails the botnet no doubt sent.
I'd personally like to punch him on the face. But on the scale of all possible crimes, it's still not very major.
Or at least, it's how you think they think. But then perhaps you'd know, you're sounding a bit Daily Mail yourself: "This is how $MINORITY really think."
Effete.
Off for snitching I bet.
If only the operating systems were secure enough to allow individuals to join such a network and give arbitrary control to strangers...
seccomp. It has solved that problem since 2005.
To paraphrase Julia Robert's character in Erin Brockovich (and Albert Finney's character's later retort): "Do they teach you how to play Devil's Advocate in your home town? Because you suck at it." He has 72,000 counts of violating the Computer Fraud and Abuse Act. The ISP had zero counts. So no, the ISPs should not be liable for crimes they didn't commit, but yes ... he should be punished far more harshly for the crimes he in fact did commit.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
18 minutes per compromised computer doesn't seem harsh to you?
NO!
What about the lives of the people that could have been compromised. Would that would be more than 18 minutes of their trouble? Your comment excludes the impact on those who could be personally affected. They should keep the case open for claims in the future as well. If one of the compromised people has their ID compromised, and it can be proved that it resulted from this guy there should be 72k more kicks to the rollers.
Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?
That's like claiming that pickpocketing should be legal, so long as you sell the stolen wallets without looking inside them. Just because he chose to not use the personal data he managed does not mean he did not have access to it, or knowingly provide access to it to other criminals.
Learn to love Alaska
Pick the oldest woman infected. Give her a CD of her OS and all the programs she had installed. Tell her to install it to where it's back to where it was. Time her. Sentence him to that time times all the people affected.
Learn to love Alaska
I think the answer should be the same as in "Shall illegal arms dealer get charged with being accessory to murder/robbery/etc?" and I think legally it's a no.
I think, legally it should not be no. A getaway driver's just driving a car. He's not robbing the bank.
If he sold the weapon legally, he should be in the clear. There's no way he could have known what was going to be done with it. Illegaly, complicit.
"Tongue tied and twisted, just an Earth bound misfit
They should notify all the infected people and also make sure they understand what a firewall is etc. and not totr ust the Mictrosoft one.
I know many people that just have a windows PC plugged straight into their cable modem (i.e. not even NAT happening) and think its gonna be OK.
18 minutes per compromised computer doesn't seem harsh to you?
Absolutely NOT! - One month minimum for each compromised computer PLUS one day for each spam mail those compromised computers sent out.
Yes, I know this means a sentence of many thousands of years... As this is a first time offense, I'll allow him to be eligible for parole when half the time is served. Serves him right and it'll keep him from repeating his crime.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
And especially in the US which is the origin of the most spam. Wouldn't hurt if China and Russia too would partake but I won't be holding my breath waiting.
The most they would do is put them for a few months into a white-collar, minimum-security resort. You know, they have conjugal visits there?
Is it so hard to say 2 1/2 years?
If he was capable of acquiring the botnet to begin with, there is not a lot that could convince me that he was not aware that the access to the individual machines could yield personal information about the owners of them.
:)
I would have to say that, IMO, "intent" has a lot to do with my opinion of this - And don't get me wrong, I don't have any problem with the sentence he received.
Yes, you have it entirely correct that he could have caused more damage than he intended. I don't feel comfortable with laws based on what "could" have happened, though - The classic example, DUIs for sleeping it off in the back seat with the keys in the ignition. Either you committed the crime, or you didn't.
It sounds like you took my comment far too seriously, however. I meant it not as a real defense of his actions, but as more of a lighthearted half-true one-liner. I evidently failed in communicating my tone.
Imagine a beowulf cluster of ..........oh wait.
Literally the other day, I decided to install Tor and browse around for the first time. Previously, I had also played with I2P. I am seriously confused given the availability and ease of use of these anonymous networks, and bitcoin for payment, especially with the availability of unsecured wireless networks, how the hell anyone gets caught for information/hacking related crimes.
Now if I were going to do something not involving physical stuff, staying sterile wrt the law would involve the following easy steps:
Relying on someone's code to protect you from the law seems unwise, but the law isn't going to ignore all the low hanging fruit so they can target you unl
...
According to the BBC article, the initial charges were dropped due to a technicality (i.e. indictiment was filed too late, whatever that means).
So chances are he knew that he was being watched and slipped up.
It's interesting that 72,000 boxes were used for one package. Doesn't mean that the machines under his control were "just" those. If someone wants to generate a certain amount volume (e.g. traffic for a DoS, SPAM, etc) probably 72k machines will suffice.
This is nothing was the Russian-based botnets offer especially for generating SPAM selling cheaps meds.
Wearing pants should always be optional.
Unauthorized access of a computer is a felony. (Doing that for the purpose of selling someone else access like that is probably an additional felony, it looks roughly like conspiracy to me. But let's ignore that.) That is, every single authorized access is a felony.
This guy got 30 months for committing 72000 felonies?
I know jail time doesn't necessarily 'stack', and that unauthorized computer access is one of the lower-class of felonies, and probably supposed to only be a year in jail at most.
But, still, this is completely absurd. That sentence is 18 minutes per felony.
Malware and computer hijacking, is basically the legal equivalent of carpeting a football stadium of people with tear gas. If you did that, you'd be charged with tens of thousands of instances of basic assault (A crime which is roughly in the same ballpark, legally, as unauthorized computer access.) and end up in jail almost forever.
But somehow unauthorized computer access, despite being something that each individual instance is supposed to result in (at least) months in jail, and which does result in months in jail when it's against the wrong person, aka, a big corporation...somehow all that just goes away if you do it against enough people at once via malware.
If I invented a robot that went around stealing from 72000 stores, they wouldn't just laugh and give me the equivalent of five counts of shoplifting in jail time. If I kill twenty people at once, they don't just laugh and say 'Oh, that was really just one instance, let's sentence him for, oh, two murders, that seems fair.'
72000 felonies.
And let's not forget, these have actual victims. Here's a fun question: Would you rather be punched in the face once (Basic assault), or have to reinstall your entire computer? (And, as only 25% of the population has any sort of backup at all, let's pretend you'd lose 75% of your stuff.)
Yeah, I thought so. There's a reason we actually made the law the way we made it, where those two are within the same order of magnitude as crimes. The courts, OTOH, seem to think that some guy hacking a computer server of a powerful company (Which is one computer and hence one felony.) is much much worse than someone hijacking 72000 human-owned computers.
If corporations are people, aren't stockholders guilty of slavery?
Yeah! 18 minute is certainly long enough time to serve for committing a instance of felony unauthorized computer access, along with entering into a conspiracy for others to do that. 18 minutes is entirely reasonable for a felony+conspiracy to help others commit a felony.
Now, I have a few questions: What day is he getting out, does someone have a gun I can borrow, and is it 18 minutes for all felonies, or does it scale up to a few hours for each murder? Murder being a random example, that is. I'm, uh, writing a book.
If corporations are people, aren't stockholders guilty of slavery?
Don't help this person, or you might end up spending hours in jail!
OR, just grab for the personal info, and take lists of credit card numbers to other countries south of the U.S. and sell a list of 5-6k cc numbers with names/addresses for $5k cash apiece.
So I've been told. Not that I've done anything like that.
Seriously though, if you got the skills, start on the other side. Get paid by the big corps to penetration test their networks. Use your skills and don't even worry about covering your tracks. This is a Much better approach.
Yeah! 18 minute is certainly long enough time to serve for committing a instance of felony unauthorized computer access, along with entering into a conspiracy for others to do that. 18 minutes is entirely reasonable for a felony+conspiracy to help others commit a felony.
Now, I have a few questions: What day is he getting out, does someone have a gun I can borrow, and is it 18 minutes for all felonies, or does it scale up to a few hours for each murder? Murder being a random example, that is. I'm, uh, writing a book.
Anders Breivik got 21 years for murdering 77 people. So yeah, it apparently does scale up with severity of the crime.
Is this worth about 14 weeks to you?
PS -- make sure you do it in Norway.
The Breivik thing is mostly a myth. Apparently, in Norway, you can be kept in jail even after your sentence is up. So he's not getting out even after the 21 years are over.
This makes no sense to me, though.
If corporations are people, aren't stockholders guilty of slavery?