Slashdot Log In
Confessed Botnet Master Is a Security Professional
Posted by
CmdrTaco
on Mon Jan 26, 2009 11:42 AM
from the he-should-know-better dept.
from the he-should-know-better dept.
An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."
Related Stories
Submission: Confessed botnet master is a security professional by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
BURN HIM! (Score:5, Interesting)
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.
Re:BURN HIM! (Score:5, Interesting)
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment.
Well, the US prosecutor could just allege that he's capable of starting World War III if given an opportunity to whistle into a telephone to get him thrown into solitary confinement. It might even be more believable than the last time they used it successfully.
Parent
In all seriousness... (Score:5, Insightful)
From TFA:
From your comment:
In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.
Parent
Re:BURN HIM! (Score:5, Interesting)
you were modded troll probably because many of the It security guys here don't want to be lynched when they get caught for their dirty deeds.
I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.
Parent
Re: (Score:3, Interesting)
Maybe public stockades in some alley in San Fransisco. For 5 nights.
Re:BURN HIM! (Score:4, Funny)
What is reminding him of high-school supposed to achieve?
Parent
Re:BURN HIM! (Score:5, Funny)
no a small netgear 8 port router with all the cables plugged in we 8 ports + 1wan = cat-o-9 tails :D
Parent
Re:BURN HIM! (Score:5, Funny)
Parent
Devine Comedy (Score:4, Insightful)
Well he's already on path for the 8th or 9th circle of hell. [wikipedia.org]
8th Circle:
Bolgia 8: Fraudulent advisors are encased in individual flames.
9th Circle:
Round 2: Antenora is named for Antenor of Troy, who according to medieval tradition betrayed his city to the Greeks. Traitors to political entities, such as party, city, or country, are located here.
Parent
Re:Devine Comedy (Score:5, Insightful)
Parent
BANKSTER wannabe (Score:5, Funny)
He should have worked in finance. There it's expected for you to loot the company safe and walk away with billions of dollars. Leaving a burning building behind you taxpayers footing the bill for cleaning it up is absolutely expected. Big career path mistake on his part. Perhaps while in prison he can study for his MBA and open a hedge fund on release.
Re:BANKSTER wannabe (Score:5, Funny)
Slashdotters have alts?
What, were you bored with your original account and decided to roll a shammy?
Parent
This should come as no surprise (Score:5, Insightful)
Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.
Did you expect him to be a shoe salesman?
This is like that guy from the Gaming Control board that was cheating slots [pokertv.com].
Re:This should come as no surprise (Score:4, Insightful)
Parent
Re:This should come as no surprise (Score:5, Funny)
I'm sure every shoe salesman reading this knows exactly what you're on about.
Parent
It might be slightly trickier than that (Score:5, Interesting)
Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.
Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.
So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.
Now you still do not have a botnet, still far from it but closer.
No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.
And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.
That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.
Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?
Now, you still do not have a botnet!
For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?
And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.
But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.
Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.
Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are
Parent
It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.
Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.
-Matt
Parent
Re:It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.
Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.
Parent
Re:It's not shoe salesman vs IT, it's "one of us" (Score:4, Informative)
Make a lot of money, Keep it Legal, Like your Job. Pick TWO.
Parent
Re:It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
"Good? Bad? I'm the one with the gun." - Ash, Army of Darkness
What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).
Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.
There is nothing inherently noble about working in IT.
Parent
"in last 2007" (Score:5, Funny)
As opposed to the 2007 before that?
Re: (Score:3, Insightful)
2007 BCE?
Disgraceful (Score:4, Insightful)
Re: (Score:3, Interesting)
Why? ANYONE with a working brain can become a security professional. You are not in any way responsible for his actions (or for the actions of any other security professional), but by saying you feel 'ashamed' for his actions you suggest you somehow are (and that security professionals are incapable of independent thought...). Why do you feel shame?
Re:Disgraceful (Score:5, Informative)
I am in the field, and I'm not ashamed for, but fuckin' angry at him.
I keep talking 'til I turn blue to squelch the rumors that AV researchers spread malware themselves to have a reason to exist, we get that crap anyway. We try to hunt down asshats like that guy. And then, usually when you finally got at least part of the population to believe that you're actually out to help them, someone like him comes along and ruins it. For all of us. Try to build up trust when you hear that the person that claimed to help you actually was the one that infected you!
I am, quite bluntly, insanely pissed at the guy.
Parent
I miss the old days (Score:5, Insightful)
Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.
the past 15?!? (Score:5, Funny)
Oh my God! Only the past 15?!? I've already spent the past 120 perusing slashdot.
Hint: qualifiers matter.
Being sexually abused is a mitigating factor? (Score:4, Insightful)
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
Re:Being sexually abused is a mitigating factor? (Score:4, Insightful)
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
(not an excuse).
Parent
Re:Being sexually abused is a mitigating factor? (Score:5, Funny)
His future is going to look a lot like his past, then.
Parent
Jail him. Now. (Score:4, Interesting)
There should be 250,000 litigants, one each for the number of botted machines out there filing suit against him in addition to being behind bars with his hands cuffed (can one type in cuffs? might be interesting).
This guy is a poster boy for how due process ought to work for computer criminals. The trust factor should be zero. This isn't a hero, this is a master thief.
15 months, not years (Score:5, Informative)
insanity defense .. (Score:5, Funny)
Five years? (Score:4, Insightful)
From your Friendly Security Professional (Score:5, Funny)
My professional opinion is that Internet Explorer is a fast, reliable, and safe web browsing platform.
Also, make sure ActiveX is turned on. It's important for your safety.
Hear that sound? (Score:4, Insightful)
70 years for MacKinnon? (Score:5, Interesting)
Fixed it (Score:3, Funny)
"Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.
How the tables turn. Now it's Schiefer who's going to be told, "You're my bitch now, I claimed it".
-[d]-
holy mangled syntax, batman! (Score:5, Funny)
"John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing.
Even worse, I hear the submitter has been working the past 15 months as a professor of English language while awaiting sentencing for negligent grammarcide.
Re:Proofreading? What's that? :p (Score:4, Funny)
A little professionalism, please? KTHXBYE
I don't even know what to do with that...
Parent
Re:Substantial Threat to Society? (Score:5, Interesting)
What about the woman that gets raped on the street? Isn't she partly responsible for the rapists behavior?
Come on people, quit blaming the victim; especially when the victim is an average person (as is evidence by the sheer size that many botnets reach).
Parent
Re:Substantial Threat to Society? (Score:5, Funny)
According to /. logic, if she didn't want to be raped, she should have closed her ports.
Parent
Re:Substantial Threat to Society? (Score:5, Insightful)
Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
Parent
Re:Substantial Threat to Society? (Score:4, Insightful)
Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
The difference between meatspace crimes and internet crimes is the level of risk.
You can get away with less security in the real world,
because the level of risk to commit crimes is much higher.
Online, the risk is lower and in response, your level of security should be much higher.
Parent
Re:You really want a rape analogy? (Score:5, Insightful)
The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.
No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink, drags her back to the car and rapes her. The next morning she knows that something is wrong, but can't remember a thing and so doesn't properly report it or deal with the consequences.
Parent
Re:You really want a rape analogy? (Score:5, Funny)
I'd view it more like raping someone with learning difficulties. Windows boxes often just don't have the capacity to say no or understand that what their doing might be wrong, they just lack that sort of basic awareness.
So it's more a case of someone asks a nice man for a lollipop but due to using Windows they can't tell if the man is really nice or indeed if that's really a lollipop.
Parent
Re:Substantial Threat to Society? (Score:5, Interesting)
What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?
Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.
Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.
Just because someone didn't patch their computer doesn't mean it's OK to exploit those vulnerabilities. It's a weak point in the computer's security, not an open invitation. Are you suggesting that it's OK to break into someone's house because the windows are fragile?
Creating a botnet from zombied computers is no trivial act. Simply exploiting a vulnerability takes some time and effort. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.
Parent
Re: (Score:3, Insightful)
Read the article, not the summary.
Re:Smart People (Score:5, Insightful)
The only person that can be blamed is him. Not his parents, not the school, not society.
No one put a gun to his head and made him hack. Take some responsibility.
Ridiculous.
Parent
Don't insult our intelligence... (Score:4, Informative)
This comes from highly intelligent people not having an outlet for their intelligence.
Say *what*?
You're insulting all the smart people who found an outlet for their intelligence, especially those of us with spotty academic records who somehow managed to avoid turning into criminal bullies. Maybe it's not "society's fault" after all?
Parent