US Bot Herder Admits Infecting 250K Machines

AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."

White collar

[sproketboy]

He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first.

Re:White collar

[Secrity]

With time off for good behavior, it will be less than 30 months. He may even be able to get most of that as work release.

less than 15 cents per infected computer ...

[tomhudson]

According to the article, this jerk got $19,000 for dumping adware on more than 150,000 pcs.

He also encouraged minors to act as go-betweens:

At one point, according to the plea agreement, a conspirator named "Adam" expressed concern about stealing money. Schiefer responded by reminding Adam that he was not yet 18 and should "quit being a bitch and claim it

Obviously he had more than one kid "working" for him. He probably agreed to the plea-bargain because otherwise he'd be facing total possible time of several hundred years.

However, he won't be hired by anyone in the computer field after this - what he did was a simple con, no "computer wizardry" required. Hans Reiser would have more chance after a murder conviction.

Re:Whoa!

[Anonymous Coward]

I hope this means that our government / law enforcement actually realizes that this kind of activity is a problem now. Who do we hire to watch the security experts these days?

Re:White collar

[Dogtanian]

He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first.

Actually, I suspect that there's going to be a major perceived difference between someone who has simply hacked into others' computers in the past, and someone who has specifically exploited the trust of and targeted those who employed him to protect their PCs.

Would I trust a former black-hat hacker to protect my computers? Possibly. Would I trust someone who has specifically targeted and screwed over his clients in the past- the people who paid him good money to protect them from such behaviour? Would I fuck.

He did the crime....he should do the time

[Joce640k]

He knowingly, willingly and maliciously did this. It wasn't an accident, a crime of passion or something he did because he was drunk one night, it took real work over many months. He was well aware of what he was doing the whole time he was doing it.

The proverbial book needs to be thrown at people like this. These are precisely the sort of people we should be making an example of.

Re:"security consultant" John Schiefer

[mrbluze]

Please don't insult the thousands of honest security consultants by calling this guy a "security consultant." The title of "con artist" would be far more accurate.

Ok, but what is a security consultant? I have a friend who is a colour consultant but she has no education and drives around in a small car telling people what curtains to buy and clothes to wear. Another colour consultant I met almost made me buy pink curtains... whew, lucky I checked her credentials. She was colour blind!

These days, using the word "consultant" outside of strictly regulated industries (eg: medical field) is just a method of social 'privilege escalation', as far as I'm concerned.

Re:Whoa!

[brassman]

Indeed, it's worth stressing why the penalty should be so severe. The guy positioned himself as a security expert, offering to protect his clients against this very sort of thing.

Gaining someone's trust with the intent to betray it is a particularly pernicious form of moral rot. It is called "embezzlement," and there is a reason it is viewed even more harshly than burglary or robbery under the law.

Losing property to a hostile stranger does not turn society upside down. Burglary (taking someone's property) is often considered rather petty, especially when the property owner is absent.

Robbery (taking property directly from someone) is more serious -- but even though there is an active component of threat, it can be impersonal: "Hand it over and nobody gets hurt." Robbery without violence might disrupt the victim's life, but the disruption might be only to the extent that he or she is reminded that none of us is an invulnerable superbeing.

Embezzling someone's assets invalidates their judgment and throws every decision they have ever made into question. It is psychologically devastating. When someone who has promised to protect you is instead the one who steals from you, he is undermining the basis of civilization itself.

Re:Whoa!

[Aladrin]

So having someone invade your personal space and steal things that have sentimental value isn't psychologically devastating? Being robbed at gunpoint with your life on the line over some green paper isn't psychologically devastating? Think again.

I can agree that this is worse, but don't put down other peoples' experiences to make your point.

Re:He did the crime....he should do the time

[Anonymous Coward]

> He ... faces up to 60 years in prison and a fine of $1.75 million

So he's pleading guilty to avoid ... what, a way harsh punishment, like 65 years in prison and $2 million in fines?

It's always the man trying to bring someone down because he knows too much, eh?

Re:Whoa!

[Grave]

I don't believe he meant to put down the experience of being robbed. Rather, I believe his point was that the morality of a person who commits of robbery is not quite as damaged and evil as someone who knowingly gains the trust of thousands just to deceive them. To the victim the difference may not be significant, but for the perpetrator of the act it is very different, and thus deserving of a more substantial punishment. Though I must say, he's not going to serve 60 years - that's the max, and I find it hard to believe any judge is going to sentence him to the full time, as it would be pretty much the rest of his life.

Re:White collar

[MillionthMonkey]

What kind of fucking lunatic would hire somebody who has PROVEN that he says he's one thing but is actually another?

Oh you'd be surprised. This guy might have a bright future ahead of him in politics.

Re:White collar

[SL Baur]

It almost seems like you're excusing his behavior, and blaming it on Microsoft.

Passwords should never be saved in plaintext. Clearly though, Microsoft is not the only one with criminally stupid behavior here because Mozilla/Firefox, Konqueror, Safari, etc. will do it too.

Both parties are guilty, and yes, I think any software product that stores passwords like that should be held guilty when that facility is exploited. To be sure, I am not including buffer overflows in that category. Human error is different from ignorance of history.

Password saving features, like ActiveX and Javascript are just stupid, stupid insecure features that were known to be insecure by design before they were invented. Stupidity (or greed) on the part of the managers deciding to release those features is no excuse.

Re:He did the crime....he should do the time

[Oligonicella]

Fact is, admitting to a crime is not the same as being guilty.

Fact is, legally you're incorrect.