Forgot your password?
typodupeerror
Security

Confessed Botnet Master Is a Security Professional 278

Posted by CmdrTaco
from the he-should-know-better dept.
An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."
This discussion has been archived. No new comments can be posted.

Confessed Botnet Master Is a Security Professional

Comments Filter:
  • BURN HIM! (Score:5, Interesting)

    by erroneus (253617) on Monday January 26, 2009 @12:45PM (#26608517) Homepage

    He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.

    • Re:BURN HIM! (Score:5, Interesting)

      by HTH NE1 (675604) on Monday January 26, 2009 @01:15PM (#26609035)

      He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment.

      Well, the US prosecutor could just allege that he's capable of starting World War III if given an opportunity to whistle into a telephone to get him thrown into solitary confinement. It might even be more believable than the last time they used it successfully.

      • by CarpetShark (865376) on Monday January 26, 2009 @04:00PM (#26611501)

        From TFA:

        Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society.

        From your comment:

        ...the US prosecutor could just allege that he's capable of starting World War III...

        In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.

        • Re: (Score:3, Informative)

          by HTH NE1 (675604)

          In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for.

          Yeah, I'm not sure why I'm getting Funny mods for referencing the treatment of Kevin Mitnick either.

        • Actually, here's a fun thought:

          1. The people in prisons score on the average over 20 on the antisocial personality disorder scale, which is to say you have a spectrum ranging from borderline sociopathic to outright psychopaths. A normal person scores 2-3.

          2. There is no known way to turn a sociopath into a normal person. Trying to psychanalyze them just teaches them to fake the answers that will hide their callousness better.

          3. Showing one the damage he's done and the people whose life he's destroyed... does

    • Re:BURN HIM! (Score:5, Interesting)

      by Lumpy (12016) on Monday January 26, 2009 @01:18PM (#26609061) Homepage

      you were modded troll probably because many of the It security guys here don't want to be lynched when they get caught for their dirty deeds.

      I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.

  • by Anonymous Coward on Monday January 26, 2009 @12:47PM (#26608573)

    He should have worked in finance. There it's expected for you to loot the company safe and walk away with billions of dollars. Leaving a burning building behind you taxpayers footing the bill for cleaning it up is absolutely expected. Big career path mistake on his part. Perhaps while in prison he can study for his MBA and open a hedge fund on release.

  • by htnmmo (1454573) on Monday January 26, 2009 @12:48PM (#26608595) Homepage

    Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.

    Did you expect him to be a shoe salesman?

    This is like that guy from the Gaming Control board that was cheating slots [pokertv.com].

    • by TheRealMindChild (743925) on Monday January 26, 2009 @01:09PM (#26608945) Homepage Journal
      There's some skill involved and you have to know details about vulnerabilities and how to exploit them.Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.
      • by Anonymous Coward on Monday January 26, 2009 @01:32PM (#26609261)
        Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

        I'm sure every shoe salesman reading this knows exactly what you're on about.
      • by I)_MaLaClYpSe_(I (447961) on Monday January 26, 2009 @08:37PM (#26615727)

        Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.

        Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.

        So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.

        Now you still do not have a botnet, still far from it but closer.

        No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.

        And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.

        That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.

        Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?

        Now, you still do not have a botnet!

        For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?

        And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.

        But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.

        Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.

        Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are

        • Re: (Score:3, Interesting)

          The fact that you put that kind of time into such a reply is rather sad. You are playing up something that is way simpler than you want anyone to believe. Maybe you have your own botnet that is falling apart at the seams. I have no idea. My reply was a kneejerk reaction to someone who ALSO tried to play up how "hard" it is to successfully exploit a Windows machine.

          You know what it takes to create a botnet? Throwing a torrent up on thepiratebay.org something along the lines of "Windows XP SP3 Corporate Edit
    • I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.

      Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.

      -Matt

      • by Anonymous Coward on Monday January 26, 2009 @01:45PM (#26609497)

        I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.

        Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.

      • by Anonymous Coward on Monday January 26, 2009 @02:41PM (#26610283)

        "Good? Bad? I'm the one with the gun." - Ash, Army of Darkness

        What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).

        Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.

        There is nothing inherently noble about working in IT.

    • ...or maybe that will be his new career. They could use a man of his honesty in that field.

    • Re: (Score:3, Insightful)

      by QuantumRiff (120817)

      No, but I'd expect him to know the repercussions of what he was doing, based upon his job. We hold people to higher standards in professional careers. A fireman that is an arsonist (okay, a criminal one, every fireman is a pyromaniac), or a Policeman that robs banks deserve much higher sentences for violating the public trust.

    • Devil's advocacy... (Score:3, Interesting)

      by BrokenHalo (565198)
      There's some skill involved and you have to know details about vulnerabilities and how to exploit them.

      Indeed. Many moons ago (back in the early 1980s, when "IBM PCs" were still new and beginning to be affordable) I was a security consultant to a certain large technology company not far west of London. Part of my brief was to write aggressive self-replicating routines in an attempt to disrupt crackers' activities. Thus I might claim credit for a few of the earliest viruses, but that's not really my point,
  • by nedlohs (1335013) on Monday January 26, 2009 @12:49PM (#26608601)

    As opposed to the 2007 before that?

  • 15 years seems like a long time to figure out the punishment for a guy after he's found guilty.
  • Disgraceful (Score:4, Insightful)

    by DeadPixels (1391907) on Monday January 26, 2009 @12:50PM (#26608627)
    While I'm not surprised that it was someone heavily involved in the field, as a future security professional myself, I'm rather ashamed that this man's greed won out over his ethics.
    • Re: (Score:3, Interesting)

      by Thiez (1281866)

      Why? ANYONE with a working brain can become a security professional. You are not in any way responsible for his actions (or for the actions of any other security professional), but by saying you feel 'ashamed' for his actions you suggest you somehow are (and that security professionals are incapable of independent thought...). Why do you feel shame?

      • Re:Disgraceful (Score:5, Informative)

        by Opportunist (166417) on Monday January 26, 2009 @02:56PM (#26610501)

        I am in the field, and I'm not ashamed for, but fuckin' angry at him.

        I keep talking 'til I turn blue to squelch the rumors that AV researchers spread malware themselves to have a reason to exist, we get that crap anyway. We try to hunt down asshats like that guy. And then, usually when you finally got at least part of the population to believe that you're actually out to help them, someone like him comes along and ruins it. For all of us. Try to build up trust when you hear that the person that claimed to help you actually was the one that infected you!

        I am, quite bluntly, insanely pissed at the guy.

  • by MillionthMonkey (240664) on Monday January 26, 2009 @12:50PM (#26608629)

    Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.

    • Re: (Score:3, Insightful)

      by Opportunist (166417)

      Only because nobody in the field touches a known criminal with a 10 foot pole anymore. You may rest assured that he's out of the biz for good now.

      Unfortunately there are crooks in every field. You have firemen starting fires. You have cops breaking laws. And they're usually also harder to catch because they know exactly how the deal works, what to watch out for, how to do it to leave no usable tracks, etc.

      At least I can find my peace in the fact that it's not swept under the rug in our biz.

  • by gEvil (beta) (945888) on Monday January 26, 2009 @12:50PM (#26608639)
    ...says he's spent the past 15 working as a professional in the security scene...

    Oh my God! Only the past 15?!? I've already spent the past 120 perusing slashdot.

    Hint: qualifiers matter.
  • by Anonymous Coward on Monday January 26, 2009 @12:51PM (#26608647)

    Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

    Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

    • Bastard... (Score:2, Funny)

      by Anonymous Coward

      Two of my friends were gang-raped by botnets.

    • by Anonymous Coward on Monday January 26, 2009 @01:12PM (#26608985)

      Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?

      No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
      (not an excuse).

    • by blair1q (305137) on Monday January 26, 2009 @01:50PM (#26609563) Journal

      His future is going to look a lot like his past, then.

    • by gad_zuki! (70830)

      People suffering from real PTSD dont hold jobs and they certainly dont sit around writing botnet code. If you really have PTSD or mental trauma from abuse youre not very functional. This guy is pissing in the eye of people with real mental health issues for a lame sympathy vote for the jury.

      >substance abuse problem

      Ditto for this. Ive known a couple real addicts. People who deserve some sympathy for their mindless actions. None of them were as remotely functional as this guy.

      This guy is just an old fashio

  • Jail him. Now. (Score:4, Interesting)

    by postbigbang (761081) on Monday January 26, 2009 @12:54PM (#26608709)

    There should be 250,000 litigants, one each for the number of botted machines out there filing suit against him in addition to being behind bars with his hands cuffed (can one type in cuffs? might be interesting).

    This guy is a poster boy for how due process ought to work for computer criminals. The trust factor should be zero. This isn't a hero, this is a master thief.

  • 15 months, not years (Score:5, Informative)

    by immakiku (777365) on Monday January 26, 2009 @12:56PM (#26608745)
    Needs to be clarified is that this is 15 months he spent waiting for punishment, not 15 years. And the lenient sentencing is because he ultimately did not cause much damage.
    • by blair1q (305137)

      Did any other botnet operator learn anything from him?

      Did he disrupt the progress of networking and technology and banking by forcing resources to be diverted to preventing his sort of crime?

      Is he wasting my time by being infamous enough to get my attention on slashdot?

      He is not benign.

    • Re: (Score:3, Insightful)

      by 4D6963 (933028)

      And the lenient sentencing is because he ultimately did not cause much damage.

      What? Have you not heeded the cries of your fellow Slashdotters!? Lynch him! Draw him! Quarter him! Then hang his quarters separately!! Stealing bank passwords is so much worse than murder, rape or treason!

  • to make sure the grammar is correct and the submissions lack certain unpleasantries such as run-on sentences.
  • Please edit submissions that contain glaring grammatical errors.
    • Re: (Score:2, Insightful)

      by spikejnz (1393097)
      You're making the assumption that the "glaring grammatical errors" are obvious to those individuals making such "glaring grammatical errors."

      Fail!
  • by rs232 (849320) on Monday January 26, 2009 @12:57PM (#26608765)
    "An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work"
    • by dodobh (65811)

      Would anyone ever suspect a security "professional" at work of administering a botnet from there? I would call it an extremely efficient disguise.

  • Five years? (Score:4, Insightful)

    by brian0918 (638904) <brian0918.gmail@com> on Monday January 26, 2009 @12:57PM (#26608769)
    Is it just me, or does 5 years seem kinda low for someone who has infiltrated 250,000 computers and has been stealing bank account passwords??
    • Re: (Score:2, Insightful)

      by furby076 (1461805)
      Considering that people who commit manslaughter can go to jail for less then no I don't think so.

      Problem with our legal system is that it has disparaging sentences. This turns out to be cruel and unusual punishment. We have people who kill others and go to jail for a couple of years...then we have people who rob banks who go to jail for a decade (plus extra time for each illegal weapon/ammunition even if a shot was never fired) and then we expect computer hackers (while malicious, didn't kill anyone) go
      • by ArsonSmith (13997)

        I have to agree. 5 years per offense seems reasonable. You hack a computer you get 5 years in jail. You hack 250,000 you get 1.25 million years in jail.

    • by neoform (551705)

      This is merely a case of someone breaking and entering 250,000 times as well as attempting bank fraud on each of his victims.. the guy should get a misdemeanor and do 20 hours community service.

  • This summary hurts my brain... last 2007 and the past 15? Really?

  • by Anonymous Coward on Monday January 26, 2009 @01:06PM (#26608889)

    My professional opinion is that Internet Explorer is a fast, reliable, and safe web browsing platform.

    Also, make sure ActiveX is turned on. It's important for your safety.

  • It should read,

    "Confessed Botnet Master Was a Security Professional"

  • While he's in prison, make him learn a new trade. Maybe by using one of those internet colleges. He couldn't cause trouble doing that.

  • In other news, Confessed Botnet Victims are Windows Users.
  • Hear that sound? (Score:4, Insightful)

    by yttrstein (891553) on Monday January 26, 2009 @01:16PM (#26609039) Homepage
    That's the sound of 30,000 other security professionals simultaneously saying "no shit!"
  • by gb7djk (857694) * on Monday January 26, 2009 @01:26PM (#26609193) Homepage
    So prosecutors are asking for 5 years for stealing 1000's of bank details by a professional security consultant. Yet for that dastardly foreigner (MacKinnon) and complete amateur that embarrassed the military and did not steal or actually damage anything other than the US Government's pride with his dial-up modem - he is in line for 70 years. Is it just me or is there something wrong here?
    • by tnk1 (899206)

      No, the lesson is, you shall not fuck with the military. They are in the habit of hurting back. It doesn't help that the military is generally in the habit of hurting foreigners and MacKinnon is a foreigner.

      I mean really, if you tried to hack into the Russian Army's or Chinese PLA's databases, what do you think would happen to you if they could get their hands on you, or even if they couldn't (read: ricin)?
       

  • Linkedin Profle? (Score:2, Informative)

    by Anonymous Coward

    Is the the same guy whose linkedin profile is here:

    http://www.linkedin.com/ppl/webprofile?action=vmi&id=12553940&authToken=bUKc&authType=name&trk=ppro_viewmore&lnk=vw_pprofile

    I'd start using a middle name if I had the same first and last names and was employed in the same city as this guy.

    Doesn't speak well for his employers' due diligence either....

  • Fixed it (Score:3, Funny)

    by DeanFox (729620) * <spam DOT myname AT gmail DOT com> on Monday January 26, 2009 @01:38PM (#26609375)

    "Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

    How the tables turn. Now it's Schiefer who's going to be told, "You're my bitch now, I claimed it".

    -[d]-
  • by jollyreaper (513215) on Monday January 26, 2009 @03:28PM (#26611019)

    "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing.

    Even worse, I hear the submitter has been working the past 15 months as a professor of English language while awaiting sentencing for negligent grammarcide.

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...