US Bot Herder Admits Infecting 250K Machines

AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."

Whoa!

[junglee_iitk]

... faces up to 60 years in prison and a fine of $1.75 million.

Sometimes somethings result in someother things that nobody would have expected. I feel sorry for this guy. But somehow I cannot come-up with any excuse as to why he should not be punished so harshly.

Re:from the article

[Feminist-Mom]

I am a grandmother too, and sorry but you are wrong. The truth is, that most grandmothers are not technically literate. I just happen to have a career as a programmer, but I think your being too pc if you think there isn't a grain of truth in the original statement.

broken justice?

[dwater]

I wonder if this is an instance of someone 'admitting' it just get some reduced sentence.

Just because you admit to something in a court does not mean it's actually true.

Auditing, Auditing...

[BoRegardless]

This is why companies have outside auditors for their accounting departments.

Should not companies now figure out how to audit their IT deparments regularly?

This is NOT that uncommon, after reading some of the stuff written by the forensic snoops hired by private companies (who mostly do not want anyone to know that anything was compromised...shareholders & investors for instance).

What about Sony

[31415926535897]

If he gets a fine this large and jail time for infecting 0.25 million computers, where's the appropriate sentence for Sony for knowingly infecting millions of computers with the rootkit on their CDs?

"security consultant" John Schiefer

[pongo000]

Please don't insult the thousands of honest security consultants by calling this guy a "security consultant." The title of "con artist" would be far more accurate.

Crime and Punishment

[Synonymous Bosch]

There's nothing constructive to derive from this post but pointless speculation. Let that take care of the concerns of the trolls and critics right off the bat, nothing to see here, move along.

Anyways, I've been doing a bit of thinking about this issue.

You often hear about 'white collar' criminals being given massive sentences. They could be organisers of international software piracy rings, super electronic fraudsters (like the one mentioned in the original parent article), whatever. The numbers of years they are sentenced to and dollars they are fined just seem to get bigger and bigger each time i hear a new story.

New laws are increasingly being passed to raise the penalties for electronic crimes. These harsher penalties don't seem to be acting as much of a deterrent, however.

The economic damage caused by internet and computer crime is staggering, the number of victims (as seen in the article) in the hundreds of thousands, potentially even millions. Could there come a time where these crimes could incur capital punishment?

disclaimer: i come from a country without the death penalty, and personally don't understand the necessity for it, so don't read this as my supporting the idea. This isn't about my personal philosophy.

Murder is already a capital crime in a number of US states. People are already being executed in many countries for crimes other than murder. Drug trafficking, serious sexual offences, could it be a relatively a small step for internet crimes to escalate into capital territory?

The internet being international as it is and the victims of these crimes often being selected so indiscriminately, could it be a matter of time before an american committing e-fraud is indicted in a country where his crimes are of a capital nature?

Extrapolating ludicrously, could a european citizen not subject to capital punishment be indicted by an america where their internet-based crime warrants the death penalty?

It's controversial enough when a citizen of a country that doesn't have the death penalty is sentenced to death in one that does. Imagine if the crime they committed was something we might look at as being comparatively trivial in nature.

Re:He did the crime....he should do the time

[rbannon]

You said, ``hell, he admitted it.''

Fact is, admitting to a crime is not the same as being guilty. I'm not saying he's not guilty, but knowing how the system works casts serious doubts in my mind about his guilt.

3G Communications may go under because of him

[Joce640k]

3G Communications may also go under because of this guy's actions.

Would you trust them after this?

Corrupting the mind of youths

[Lead Butthead]

Wish this was the ancient Greece, where people can be sentenced to death for corrupting the mind of youths.

Re:Auditing, Auditing...

[thatskinnyguy]

As it seems from the summary, the companies who fell prey to this malfeasance either don't have IT departments or the budget to support one. I used to work for a company that was an outsourcing service provider for companies' IT needs. It's surprising how many well-established companies don't want to put the resources into a dedicated IT department let alone a special division for auditing the computerized processes and systems that keep the business afloat.

Re:He did the crime....he should do the time

[Anonymous Coward]

I'm not so sure this is a harsh punishment. How about sentencing him to equal time in jail to the time he wasted for other people by stealing their PayPal accounts, etc? Say he serves a day in jail for every day of someone else life he wasted with his crimes? If 10% of those 250,000 people wasted just 1 day each, then that's 68 years in jail. The 60 years MAX he's facing (= 5-10 years max in reality?) sounds quite lenient. Ditto restitution - never mind a punitative fine.

I don't feel sorry for criminals - at mininum they should get "eye for an eye" punishment. Murderers included.

Hard punishment? Hardly.

[Opportunist]

I'm the last person to support insane prison time and fines as a deterrent. It ain't one. It never has been and never will be. Look at the insane punishments we got today for copyright infringement. And I'm not even talking about the civil suits for "damages" (or as I like to call it "the MI's new business model"). We now got 10 years prison time for that as a maximum sentence. For the same penalty, I could rob a bank, hold people hostage for a few hours and wreck a getaway card into a school.

This isn't just a "simple" criminal using malware to steal IDs. He was the guy who was supposed to disallow exactly that. He was the one people trusted to keep them clean from malware. Now, he didn't just fail in his job and allow it despite his attempts, he deliberately and intentionally infected his clients' computers.

That's why I don't think this punishment is overdone. We're talking about the maybe most insidious way of breaking a law: Getting people's trust, getting them to believe you you're going to keep them save from just what you want to do to them. It's like a cop breaking into your home or your babysitter ... ok, no thinkofthechildren examples. But you get the idea.

This is NOT the punishment I'd see as adequate for a "normal" malware attacker (even though I would love to see them dangling from their dangling bits, but that's my personal opinion).

As for those that expect him to get out after 5 years and have a great job then, I can tell you this: I can't say anything about his time, but his job opportunities are going to be slim. The security industry isn't big. People know each other. People like this are going to be not known, they are infamous. And nobody will willingly touch him with a 10 foot pole.