Confessed Botnet Master Is a Security Professional 278
An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."
This should come as no surprise (Score:5, Insightful)
Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.
Did you expect him to be a shoe salesman?
This is like that guy from the Gaming Control board that was cheating slots [pokertv.com].
Disgraceful (Score:4, Insightful)
I miss the old days (Score:5, Insightful)
Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.
Re:"in last 2007" (Score:3, Insightful)
2007 BCE?
Being sexually abused is a mitigating factor? (Score:4, Insightful)
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
Glad we have editors here... (Score:2, Insightful)
Five years? (Score:4, Insightful)
Re:This should come as no surprise (Score:4, Insightful)
Re:Being sexually abused is a mitigating factor? (Score:4, Insightful)
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
(not an excuse).
It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.
Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.
-Matt
Hear that sound? (Score:4, Insightful)
Re:Substantial Threat to Society? (Score:5, Insightful)
Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
the way things should ideally work: (Score:1, Insightful)
discover a security exploit and alert everyone: should get hero's reward
discover a security exploit and uses it, to harmless effect: should get thanks for discovery, a frown, and no reward
discover a security exploit and use it to, well, exploit: throw the book at him
unfortunately, it seems that all three classes of white, gray, and black hats get the same treatment
i'm not bringing the three classes up to argue leniency for the reprobate who made the botnet, i'm bringing up the fact that this guy is an example of someone who really should get punished severely, in contrast to gray and white hats who serve society and are unfortunately treated as the same class of criminal, when they are clearly not
this guy is the contrasting example of what a gray and white hat could have done with their knowledge, but chose not to. people need to be more aware of the valuable service gray and white hats provide
Re:How long does sentancing take? (Score:3, Insightful)
Read the article, not the summary.
Re:Five years? (Score:2, Insightful)
Problem with our legal system is that it has disparaging sentences. This turns out to be cruel and unusual punishment. We have people who kill others and go to jail for a couple of years...then we have people who rob banks who go to jail for a decade (plus extra time for each illegal weapon/ammunition even if a shot was never fired) and then we expect computer hackers (while malicious, didn't kill anyone) go to jail for a long time?
Yes what he did was bad, but no 5 years is a bit extreme, and anything over that is just being petty.
Devine Comedy (Score:4, Insightful)
Well he's already on path for the 8th or 9th circle of hell. [wikipedia.org]
8th Circle:
Bolgia 8: Fraudulent advisors are encased in individual flames.
9th Circle:
Round 2: Antenora is named for Antenor of Troy, who according to medieval tradition betrayed his city to the Greeks. Traitors to political entities, such as party, city, or country, are located here.
Re:You really want a rape analogy? (Score:5, Insightful)
The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.
No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink, drags her back to the car and rapes her. The next morning she knows that something is wrong, but can't remember a thing and so doesn't properly report it or deal with the consequences.
Re:Smart People (Score:5, Insightful)
The only person that can be blamed is him. Not his parents, not the school, not society.
No one put a gun to his head and made him hack. Take some responsibility.
Ridiculous.
Re:Being sexually abused is a mitigating factor? (Score:2, Insightful)
Sexual abuse victims are more likely to commit murder (of their abuser) or sexually abuse others. I'm fairly certain that they aren't any more likely than you or me to create a botnet.
Re:A note to the editors... (Score:2, Insightful)
Fail!
Re:It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.
Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.
Re:Substantial Threat to Society? (Score:4, Insightful)
Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
The difference between meatspace crimes and internet crimes is the level of risk.
You can get away with less security in the real world,
because the level of risk to commit crimes is much higher.
Online, the risk is lower and in response, your level of security should be much higher.
Re:This should come as no surprise (Score:3, Insightful)
No, but I'd expect him to know the repercussions of what he was doing, based upon his job. We hold people to higher standards in professional careers. A fireman that is an arsonist (okay, a criminal one, every fireman is a pyromaniac), or a Policeman that robs banks deserve much higher sentences for violating the public trust.
Re:BANKSTER wannabe (Score:3, Insightful)
If I had to points I'd mod you insightful.
Re:It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
"Good? Bad? I'm the one with the gun." - Ash, Army of Darkness
What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).
Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.
There is nothing inherently noble about working in IT.
Re:Devine Comedy (Score:5, Insightful)
Re:I miss the old days (Score:3, Insightful)
Only because nobody in the field touches a known criminal with a 10 foot pole anymore. You may rest assured that he's out of the biz for good now.
Unfortunately there are crooks in every field. You have firemen starting fires. You have cops breaking laws. And they're usually also harder to catch because they know exactly how the deal works, what to watch out for, how to do it to leave no usable tracks, etc.
At least I can find my peace in the fact that it's not swept under the rug in our biz.
Re:You really want a rape analogy? (Score:2, Insightful)
It's more like the rapists would always target the skirt wearers over the pants wearers because of the relative lower barrier to entry and the pants wearers would try to convert their skirt wearing sisters from their erroneous ways by calling them little sluts and being condescending.
What the pants wearers don't realize is that it takes a significant investment of time and effort to learn how to slip into a pair of pants for people who don't sew pants for a living. Thus, the skirt wearers would rather spend extra money on mace or pepper spray that they can operate with a push of a button in times of emergency.
Thing is, the pepper sprays leak into their skirts and whatever garments they are wearing underneath and leave them with a burning sensation and even then the skirt wearers would rather burn their coochies than learn how to slip into a pair of pants.
In all seriousness... (Score:5, Insightful)
From TFA:
From your comment:
In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.
Re:BANKSTER wannabe (Score:2, Insightful)
Re:15 months, not years (Score:3, Insightful)
And the lenient sentencing is because he ultimately did not cause much damage.
What? Have you not heeded the cries of your fellow Slashdotters!? Lynch him! Draw him! Quarter him! Then hang his quarters separately!! Stealing bank passwords is so much worse than murder, rape or treason!