US Bot Herder Admits Infecting 250K Machines

AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."

from the article

[Anonymous Coward]

"...a system so simple even a grandmother could use it to infect computers..."

As a feminist, and a grandmother, i resent that.

Whoa!

[junglee_iitk]

... faces up to 60 years in prison and a fine of $1.75 million.

Sometimes somethings result in someother things that nobody would have expected. I feel sorry for this guy. But somehow I cannot come-up with any excuse as to why he should not be punished so harshly.

Re:

[Anonymous Coward]

I hope this means that our government / law enforcement actually realizes that this kind of activity is a problem now. Who do we hire to watch the security experts these days?

Re:

[Opportunist]

More security experts. Some are not crooks, you know. Some of us don't do it for money.

Re:

[Necrobruiser]

Some of us don't do it for money.
Says the guy whose /. login is "Opportunist"....

Re:

[Opportunist]

Maybe this is because the bribes and temptations are much larger. Could also be that people who go into politics (and are successful enough to actually get to the top) have to have some kind of crooked mindset in the first place.

I know a fair deal of security researchers. There are many fanatics in the biz. There are incredibly good people in the field who could have any job, including security chief of some large corporation that comes complete with more money than you can spend in a lifetime, yet they sta

He did the crime....he should do the time

[Joce640k]

He knowingly, willingly and maliciously did this. It wasn't an accident, a crime of passion or something he did because he was drunk one night, it took real work over many months. He was well aware of what he was doing the whole time he was doing it.

The proverbial book needs to be thrown at people like this. These are precisely the sort of people we should be making an example of.

Re:

[ScrewMaster]

These are precisely the sort of people we should be making an example of.

The problem with "making an example" (i.e. a harsher-than-required sentence handed down in order to "deter" similar crimes by other people) is that a. it really screws over the innocent guy and b. doesn't work anyway. Now, I'm not saying the sentence isn't warranted in this guy's case: hell, he admitted it. I just think that using excessive punishment as a deterrent serves no legitimate purpose. If, on the other hand, you meant "cat

Re:

[rbannon]

You said, ``hell, he admitted it.''

Fact is, admitting to a crime is not the same as being guilty. I'm not saying he's not guilty, but knowing how the system works casts serious doubts in my mind about his guilt.

Re:

[Anonymous Coward]

> He ... faces up to 60 years in prison and a fine of $1.75 million

So he's pleading guilty to avoid ... what, a way harsh punishment, like 65 years in prison and $2 million in fines?

It's always the man trying to bring someone down because he knows too much, eh?

Re:

[MillionthMonkey]

So he's pleading guilty to avoid ... what, a way harsh punishment, like 65 years in prison and $2 million in fines?

Waterboarding.

Re:

[RichardX]

Pfft. It's fuzzy liberals like you who are responsible for rampant crime in this country.
Sure, let's take criminals waterboarding. While we're at it, we can also send them snowboarding, and go-karting too, all on public money.

</tongue firmly in cheek>

Re:

[pokerdad]

So he's pleading guilty to avoid ... what, a way harsh punishment, like 65 years in prison and $2 million in fines?

I don't know about the US, but here it is typical for criminals to serve 1/3 of their sentence, unless they are considered a danger to society. So if pleading guilty means the difference between a 60 year sentence, out in 20, and a 300 year sentence, out in 100, then he likely made a sensibly choice.

Re:

[Oligonicella]

Fact is, admitting to a crime is not the same as being guilty.

Fact is, legally you're incorrect.

Re:

[pyat]

Not quite

Admitting/confessing to a crime is not the same as guilt.
I'm not a lawyer, but there are precedents

http://en.wikipedia.org/wiki/Birmingham_Six [wikipedia.org]
http://en.wikipedia.org/wiki/Guildford_Four [wikipedia.org]

Re:

[bakes]

Fact is, admitting to a crime is not the same as being guilty.

Fact is, legally you're incorrect.

Aren't there occasions (especially with high-profile cases) where lots of people claim to have committed the crime? Are they all guilty of that crime? There is also the situation where people are coerced into a confession. They are usually not guilty either.

Or is this all just stuff we see on television shows and doesn't happen in real life?

I agree with the GP - admitting to a crime doesn't necessarily mean guilt. (Although in this particular case it seems to be true).

Re:

[ta bu shi da yu]

He stole money. He hijacked other people's computers, and potentially violated their privacy. He used a botnet.

This was not a victimless crime. I'm glad he's getting that jail term and that fine - what did he expect?

Re:

[nanoakron]

The proverbial book needs to be thrown at people like this. These are precisely the sort of people we should be making an example of.

*BEEP* Wrong.

'Throwing the book at' and 'making examples of' people are exactly what your precious Bill of Rights was dead set against. Ever heard of a ban on 'Cruel and Unusual' punishments?

If he's the only person to receive 60 years in high security for his crime, I find it hard how you could justify his punishment as anything other than 'Cruel and Unusual'.

the jury having to witness the results

[grolaw]

Wicked observation. I assume that the KKK is your favorite jury pool, eh?

The proper punishment is to eliminate his access to computers and the Internet. Forever. If a 60 year prison sentence does that - well, it seems like a far more costly way to achieve the desired end than mandating a lifetime of work in fields not connected to computers and paying the fine until the day he dies.

The next time that you want to inflict inhumane punishments - go read up on the history of Great Britain - every horrible m

Re:Whoa!

[brassman]

Indeed, it's worth stressing why the penalty should be so severe. The guy positioned himself as a security expert, offering to protect his clients against this very sort of thing.

Gaining someone's trust with the intent to betray it is a particularly pernicious form of moral rot. It is called "embezzlement," and there is a reason it is viewed even more harshly than burglary or robbery under the law.

Losing property to a hostile stranger does not turn society upside down. Burglary (taking someone's property) is often considered rather petty, especially when the property owner is absent.

Robbery (taking property directly from someone) is more serious -- but even though there is an active component of threat, it can be impersonal: "Hand it over and nobody gets hurt." Robbery without violence might disrupt the victim's life, but the disruption might be only to the extent that he or she is reminded that none of us is an invulnerable superbeing.

Embezzling someone's assets invalidates their judgment and throws every decision they have ever made into question. It is psychologically devastating. When someone who has promised to protect you is instead the one who steals from you, he is undermining the basis of civilization itself.

Re:

[Aladrin]

So having someone invade your personal space and steal things that have sentimental value isn't psychologically devastating? Being robbed at gunpoint with your life on the line over some green paper isn't psychologically devastating? Think again.

I can agree that this is worse, but don't put down other peoples' experiences to make your point.

Re:Whoa!

[Grave]

I don't believe he meant to put down the experience of being robbed. Rather, I believe his point was that the morality of a person who commits of robbery is not quite as damaged and evil as someone who knowingly gains the trust of thousands just to deceive them. To the victim the difference may not be significant, but for the perpetrator of the act it is very different, and thus deserving of a more substantial punishment. Though I must say, he's not going to serve 60 years - that's the max, and I find it hard to believe any judge is going to sentence him to the full time, as it would be pretty much the rest of his life.

Re:

[ta bu shi da yu]

I don't think he's saying that. The poster was saying that embezzlement is worse than robbery in terms of psychology because they were tricked into giving up their goods. Thus it invalidates the faith they have in their judgement.

I don't think he was saying that robbery doesn't cause psychological scarring.

Re:

[SL Baur]

Indeed, it's worth stressing why the penalty should be so severe. The guy positioned himself as a security expert, offering to protect his clients against this very sort of thing.

TFA, which you apparently didn't read, says he agreed to plead guilty to those charges.

So, yes, he expects to be found guilty - he's pleading guilty. What worse punishment was offered? There's something very wrong with this picture.

I am agreement that what he did merits punishment, perhaps even as severe as the maximum, but what I don't understand is why he agreed to plead guilty. What did he have to lose fighting it? His life is ruined.

Re:

[dreamchaser]

Pleading guilty *might* get him a slightly shorter sentence. It might also get him nicer 'accommodations' while he is 'away'.

Re:

[1u3hr]

cannot come-up with any excuse as to why he should not be punished so harshly.

He won't be. That's [60 years] a maximum sentence. Deals, good behaviour, remisssion, etc; I'll be amazed if he serves two years at most.

Re:

[SL Baur]

You are missing a very big point. He agreed to plead guilty to the charges yielding those penalties.

What is wrong with this picture?

Re:

[LingNoi]

The laws should be changed so you get a week in jail for every computer you attack/infect..

250,000 * 6 days = over 4000 years.. I think the punishment fits the crime. ^_^

Re:

[Nullav]

theft, because he 'stole' untold trillions of CPU cycles, storage, and memory that could have been put to better use at the time

Or, you know...directly stealing money and all that stuff.

Re:Whoa!

[MillionthMonkey]

How many kilowatt-hours were devoted to this nonsense? How many tons of coal were burned to support a botnet of a quarter million computers? How many microkelvin did the resulting carbon dioxide raise the planet's temperature? How many square meters of ice cover did we lose? How many polar bears drowned or froze to death? There's a good Google interview question in here somewhere.

Of course one might ask how many polar bears Google itself has on its conscience but that's the wrong response to give at the interview.

Re:

[DrSkwid]

The polar bears should swim to the South pole, there's plenty of ice down there.

http://www.physorg.com/news4180.html [physorg.com]

Re:

[account_deleted]

Comment removed based on user account deletion

A better article, names companies involved, etc.

[trolltalk.com]

http://www.scamfraudalert.com/f142/john-kenneth-schiefer-botmaster-aka-acid-acidstorm-pleads-guilty-10692/ [scamfraudalert.com]

1. He was employed at a Los Angeles-based security firm known as 3G Communications,
2. The malware contained a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges.
3. On one occasion, in December 2005, he moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of Dynadot
4. Schiefer also used the botnet to collect more than $19,000 in commissions from a Dutch company called Simpel Internet for installing its adware on end users' machines without their permission.

3G Communications may go under because of him

[Joce640k]

3G Communications may also go under because of this guy's actions.

Would you trust them after this?

Unfortunately, I was a victim

[Anonymous Coward]

The adware and viruses he installed slowed my system down, so I couldn't get first post.

less than 15 cents per infected computer ...

[tomhudson]

According to the article, this jerk got $19,000 for dumping adware on more than 150,000 pcs.

He also encouraged minors to act as go-betweens:

At one point, according to the plea agreement, a conspirator named "Adam" expressed concern about stealing money. Schiefer responded by reminding Adam that he was not yet 18 and should "quit being a bitch and claim it

Obviously he had more than one kid "working" for him. He probably agreed to the plea-bargain because otherwise he'd be facing total possible time of several hundred years.

However, he won't be hired by anyone in the computer field after this - what he did was a simple con, no "computer wizardry" required. Hans Reiser would have more chance after a murder conviction.

Corrupting the mind of youths

[Lead Butthead]

Wish this was the ancient Greece, where people can be sentenced to death for corrupting the mind of youths.

Re:Corrupting the mind of youths

[tftp]

Unfortunately, ancient Greeks had nothing against corrupting the bodies of youths.

Re:

[ultranova]

Wish this was the ancient Greece, where people can be sentenced to death for corrupting the mind of youths.

Do you really want "not thinking of the children" to be a crime with death penalty as punishment ? Especially when the Greeks themselves invented that crime to get some excuse to kill Socrates, the real reason being that Socrates held unpopular views for his time ?

I, for one, think that our overlords are bad enough already. Besides, thinking of children all the time is a bit creepy, and acting on

Re:

[tomhudson]

"while all the other kids were put through a military program, whether or not they wanted to."

Several countries have compulsory military training - Albania, Algeria, Angola, Bhutan, Bolivia, Brazil, Burma, China, Cuba, Finland, Germany, Greece, Israel, Italy (until 2004), Korea (North and South), Kuwait, Libya, Moldova, Russia, Seychelles, Singapore, Switzerland, Thailand, Turkey.

Then there are the countries, like the US, that have "economic conscription" - with recruiters targeting impoverished commun

Re:

[tomhudson]

He got 2 kids to "participate" because, since they were minors, they "probably" wouldn't risk criminal records.

Would they have done this if he hadn't encouraged them? Who do you think ratted him out in the end?

Re:

[tomhudson]

Interesting punishment for an 8,000-unit botnet:

Sentence

The Jason Michael Downey sentence has been set as follows:

1. Prison term: The defendant is hereby committed to the custody of the United States Bureau of Prisons to be imprisoned for a total term of: 12 months and one (1) day.

2. Probation term: 3 years, no computer access without prior permission, and 150 hours of community service.

3. Restitution:
SOUTHO.NET $1,300.00
B2Netsolutions $310.00
Ingenieria $19,500.00
TOTAL: $21,110.00

If

broken justice?

[dwater]

I wonder if this is an instance of someone 'admitting' it just get some reduced sentence.

Just because you admit to something in a court does not mean it's actually true.

Re:

[dwater]

Yeah, you're probably right. On the other hand, do you get to know the sentence before the plea? I guess he can always appeal, right?

Re:

[Kopiok]

Well, from what I know what happens, the Prosecution gives a sentencing offer and the defendant will agree to plead guilty in order to accept the sentence. Either that or I watched too much Law and Order.

Re:

[dwater]

Hrm. I thought the judge determined the sentence (ie the punishment, or how long in jail), and the lawyers determine the charge (ie murder/manslaughter/etc) - though I guess the latter determines the limits for the former.

Re:broken justice?

[RenderSeven]

I guess he can always appeal, right?

You cant appeal a guilty plea.

Re:

[NXIL]

Thanks Larry. See you in Minnesota...stall 4.

Auditing, Auditing...

[BoRegardless]

This is why companies have outside auditors for their accounting departments.

Should not companies now figure out how to audit their IT deparments regularly?

This is NOT that uncommon, after reading some of the stuff written by the forensic snoops hired by private companies (who mostly do not want anyone to know that anything was compromised...shareholders & investors for instance).

Re:

[RollingThunder]

I've certainly come to know the auditor's presence as a normal thing, but that may largely be because of SOX compliance for our American clients, etc. We have to demonstrate (among many other things) paper trails for system access, process and procedures (both defined and verified as followed), etc.

Re:Auditing, Auditing...

[thatskinnyguy]

As it seems from the summary, the companies who fell prey to this malfeasance either don't have IT departments or the budget to support one. I used to work for a company that was an outsourcing service provider for companies' IT needs. It's surprising how many well-established companies don't want to put the resources into a dedicated IT department let alone a special division for auditing the computerized processes and systems that keep the business afloat.

Re:

[Sanat]

"This is why companies have outside auditors for their accounting departments."

Major company I worked for in Australia had the financial comptroller cook the books for 1.75 million Australian dollars. He and his family absconded to England over a holiday weekend. The Managing Director suspected something wasn't right and wanted an outside auditor to check the books but the regional VP said "no"... don't waste the money.

Basil Brown was able to get something on all of the major players in the company so it wa

Re:

[jobsagoodun]

Most of the IT depts I've worked in have a separate audit function, and external auditors visiting once a year. Sadly, they'd never spot any real problems in a million years as they just work down a tick list of identified risks and then give a seal of approval. I think the approval is what is really wanted; certainly nobody wants any expensive to solve problems highlighting!!

Re:

[CustomDesigned]

And by the way, what the %$^# was M$ thinking when they left a backdoor to encrypted data in their OS. And perhaps, more importantly ...
Why? Would you ever store passwords and important data again with M$ technology, knowing M$ can read this data anytime they want to?

I don't think there was a backdoor. As I understand it, his malware waited until the user entered their master password to use paypal, and then logged the data unencrypted at that time. Same principle as a key logger, but less noise. Your point stands, however, that due to the closed source nature of Windows, M$ is *always* in the position to do any logging of anything they want. Yeah, such stuff could be hidden in open source, and nobody has time to examine every line of open source code. But *in pri

certification?

[memnock]

is there some kind of accreditation or certification for security consultants? i understand credentials can be forged, but could an agency for security consultant certification help?

Re:

[TechyImmigrant]

Certification to a security consultant usually means X.509, RFC3280bis and a sprinkling of ESP methods.

Re:

[muffel]

Wow -- are you kidding, or are you actually that ... [insert your favorite adjective]?

Re:

[Paradise Pete]

Wow -- are you kidding, or are you actually that ... [insert your favorite adjective]?

Peripatetic. But that's neither here nor there.

Re:

[eli pabst]

Depends. Some of the lower tier certs would fall under that category, but the CISSP and SANS certs are certainly non-trivial. I'd wager the vast majority of recent CS and IS graduates would fail those exams.

What about Sony

[31415926535897]

If he gets a fine this large and jail time for infecting 0.25 million computers, where's the appropriate sentence for Sony for knowingly infecting millions of computers with the rootkit on their CDs?

Re:

[Nazlfrag]

You're right. If he just incorporated before this event, he could just dismiss himself with a sweet golden handshake to boot.

Re:What about Sony

[Kjella]

If he gets a fine this large and jail time for infecting 0.25 million computers, where's the appropriate sentence for Sony for knowingly infecting millions of computers with the rootkit on their CDs?

Ah, you can just hear the angry raving mob forming, ready to burn down Sony headquarters.

four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud.

Maybe when Sony has actually committed anything like this? The only charge that has the slightest whiff of relevance is that the rootkit CDs may be be considered fraudulent, but to legally charge Sony with fraud they must gain some benefit through fraud, and I don't see what that could be. Yes, they should have been slapped under some sort of hacking law but this is comparing apples and oranges.

Re:

[jotok]

More like oranges and grapefruits. Would Sony have installed the rootkits if they didn't seek some benefit? What could it have been?

If it serves the purpose of something as simple as making their marketing strategy work, then the rootkit added value, and its use constitutes fraud.

Re:

[petermgreen]

IIRC it was primerally there to prevent ripping of the CD.

Re:

[giafly]

to legally charge Sony with fraud they must gain some benefit through fraud

The rootkit phoned home [slashdot.org], so they got data, which is worth money. I think Sony didn't get sued because basically they plea-bargained. This new criminal doesn't have enough money to pay compensation, so that's not a realistic option.

Re:

[sjames]

Maybe when Sony has actually committed anything like this?

OK, let's charge Sony like we might charge a simple vandal. $100 fine plus cost to fix the problem for each offense. That should come out to about a quarter billion dollars in fines and perhaps another half billion to send people around disinfecting PCs. Naturally, they will be expected to give each person a full refund as well.

Re:

[6Yankee]

Have some cojones Thanks for the offer, but if it's all the same to you I'll stick to the pizza...

"security consultant" John Schiefer

[pongo000]

Please don't insult the thousands of honest security consultants by calling this guy a "security consultant." The title of "con artist" would be far more accurate.

Re:"security consultant" John Schiefer

[mrbluze]

Please don't insult the thousands of honest security consultants by calling this guy a "security consultant." The title of "con artist" would be far more accurate.

Ok, but what is a security consultant? I have a friend who is a colour consultant but she has no education and drives around in a small car telling people what curtains to buy and clothes to wear. Another colour consultant I met almost made me buy pink curtains... whew, lucky I checked her credentials. She was colour blind!

These days, using the word "consultant" outside of strictly regulated industries (eg: medical field) is just a method of social 'privilege escalation', as far as I'm concerned.

Re:"security consultant" John Schiefer

[Anonymous Coward]

Quoth dogbert, "I like to con people. And I like to insult people. If you combine con & insult, you get consult!"

Re:"security consultant" John Schiefer

[cmacb]

These days, using the word "consultant" outside of strictly regulated industries (eg: medical field) is just a method of social 'privilege escalation', as far as I'm concerned.

If you need any help telling the real consultants from the phony ones, just contact me, I'm a Consultant Consultant, although our industry association is considering a name change to "Consultant 3.0".

Thx

Re:

[eli pabst]

Security is an interesting niche in that most small to medium size businesses are large enough that they need the skills of someone knowledgeable in computer/network security but yet it's not such a necessity that they require dedicated staff to handle it. Hence you hire a outside consultant to handling things like auditing, designing build docs, incident handling. A few years ago being a security consultant meant anything from a professional with an advanced degree and certs to some ex-script kiddie. I

Re:

[vishbar]

Ok, but what is a security consultant?

They help re-ideate workflow paradigms to achieve a secure, interoperable, and synergetic enterprise framework to enhance cross-platform, next-generation outside-the-box collaberation.

Duh.

Re:

[dangitman]

Please don't insult the thousands of honest security consultants

Wait, do you mean to tell me that such people actually exist? Doesn't sound plausible to me.

Crime and Punishment

[Synonymous Bosch]

There's nothing constructive to derive from this post but pointless speculation. Let that take care of the concerns of the trolls and critics right off the bat, nothing to see here, move along.

Anyways, I've been doing a bit of thinking about this issue.

You often hear about 'white collar' criminals being given massive sentences. They could be organisers of international software piracy rings, super electronic fraudsters (like the one mentioned in the original parent article), whatever. The numbers of years they are sentenced to and dollars they are fined just seem to get bigger and bigger each time i hear a new story.

New laws are increasingly being passed to raise the penalties for electronic crimes. These harsher penalties don't seem to be acting as much of a deterrent, however.

The economic damage caused by internet and computer crime is staggering, the number of victims (as seen in the article) in the hundreds of thousands, potentially even millions. Could there come a time where these crimes could incur capital punishment?

disclaimer: i come from a country without the death penalty, and personally don't understand the necessity for it, so don't read this as my supporting the idea. This isn't about my personal philosophy.

Murder is already a capital crime in a number of US states. People are already being executed in many countries for crimes other than murder. Drug trafficking, serious sexual offences, could it be a relatively a small step for internet crimes to escalate into capital territory?

The internet being international as it is and the victims of these crimes often being selected so indiscriminately, could it be a matter of time before an american committing e-fraud is indicted in a country where his crimes are of a capital nature?

Extrapolating ludicrously, could a european citizen not subject to capital punishment be indicted by an america where their internet-based crime warrants the death penalty?

It's controversial enough when a citizen of a country that doesn't have the death penalty is sentenced to death in one that does. Imagine if the crime they committed was something we might look at as being comparatively trivial in nature.

Re:Crime and Punishment

[despisethesun]

Extrapolating ludicrously, could a european citizen not subject to capital punishment be indicted by an america where their internet-based crime warrants the death penalty?

It's worth noting that most countries without the death penalty will not extradite you to a country with the death penalty if you're facing that punishment when you get there. They generally require assurances that you will face life without parole if convicted instead.

Re:Crime and Punishment

[AceCaseOR]

Murder is already a capital crime in a number of US states. People are already being executed in many countries for crimes other than murder. Drug trafficking, serious sexual offences, could it be a relatively a small step for internet crimes to escalate into capital territory?

I'm going to say this isn't very likely. At least in the US, people are only executed for crimes where they cause direct physical harm to another person (generally murder and occasionally rape). For other offences you generally get a life sentence, or defacto life sentence (say 135 years in the clink).

Re:

[DrFalkyn]

I'm going to say this isn't very likely. At least in the US, people are only executed for crimes where they cause direct physical harm to another person (generally murder and occasionally rape). For other offences you generally get a life sentence, or defacto life sentence (say 135 years in the clink).

Uh no - rape in of itself is a not a capital offense, the max penalty in most states is life imprisonment. You may be thinking of murder in the commission of a rape(or sexual assault in general), which is def

Re:

[moderatorrater]

It's not likely given they would have to be extradited in most cases. Since extradition (usually) requires the permission of the country they're currently in, if the punishment is that outlandish, they won't grant their permission. As a sibling post mentioned, the chances of the US actually doing something that ridiculous is very small (when they allow the death penalty for rape *without* murder, then come talk to me).

what should happen

[FudRucker]

he should be fined for everything he has, 100% of his money in all banking accounts, have all his property taken away, real estate, valuables = gold, jewelry, computers, TVs, stereos, etc... everything he owns, and given a long prison sentence of 40 years...

Re:

[tftp]

What's the point of such a sentence? He'd get out when he is 65 years old, without money, without home and obviously without work. The first rational thing he'd do is to jump off of a bridge. Why then did you, a taxpayer, housed and fed him for most of his life? You should either give him a reasonable sentence (not more than 5-10 years, allowing rehabilitation) or instant death.

Re:

[Belacgod]

Sentence him to 50% wage garnishment for life.

Security Fix has an exclusive interview

[tsu doh nimh]

from the story:....Schiefer said he and his friends spread the bot programs mainly over AOL Instant Messenger (AIM). By using malicious "spreader" programs such as Niteaim and AIM Exploiter, Schiefer and his co-conspirators spammed out messages inviting recipients to click on a link. Anyone who took the bait had a "Trojan horse" program downloaded to their machine, an invader that then tried to fetch the malicious bot program." Read more at this link here [washingtonpost.com].

Hard punishment? Hardly.

[Opportunist]

I'm the last person to support insane prison time and fines as a deterrent. It ain't one. It never has been and never will be. Look at the insane punishments we got today for copyright infringement. And I'm not even talking about the civil suits for "damages" (or as I like to call it "the MI's new business model"). We now got 10 years prison time for that as a maximum sentence. For the same penalty, I could rob a bank, hold people hostage for a few hours and wreck a getaway card into a school.

This isn't just a "simple" criminal using malware to steal IDs. He was the guy who was supposed to disallow exactly that. He was the one people trusted to keep them clean from malware. Now, he didn't just fail in his job and allow it despite his attempts, he deliberately and intentionally infected his clients' computers.

That's why I don't think this punishment is overdone. We're talking about the maybe most insidious way of breaking a law: Getting people's trust, getting them to believe you you're going to keep them save from just what you want to do to them. It's like a cop breaking into your home or your babysitter ... ok, no thinkofthechildren examples. But you get the idea.

This is NOT the punishment I'd see as adequate for a "normal" malware attacker (even though I would love to see them dangling from their dangling bits, but that's my personal opinion).

As for those that expect him to get out after 5 years and have a great job then, I can tell you this: I can't say anything about his time, but his job opportunities are going to be slim. The security industry isn't big. People know each other. People like this are going to be not known, they are infamous. And nobody will willingly touch him with a 10 foot pole.

Re:

[Rocketship Underpant]

I don't like the idea of prison for this kind of criminal (well, any kind actually). It does no one any good, aside from satisfying the schadenfreude of Slashdot readers.

What he *should* be made to do is to repay every single one of his victims, double his theft plus interest. If that enslaves him to his victims for the rest of his life, so be it. No one benefits from the government collecting some fines, and the fraudster spending the rest of his life behind bars becoming a drug addict or doing whatever el

Re:

[Opportunist]

Where do I sign?

Re:

[sjames]

I agree, he doesn't likely have a great job ahead of him. For one, the story of criminal hacker gets busted, does time, gets hired to keep people like him out is becoming much less common now. Computer security was in it's infancy when that was common.

Next, he didn't actually display any great skill. He didn't crack an "uncrackable" system, he convinced people who didn't know better to click a link.

Finally, unlike the well employed ex-hackers, he has already proven that he will happily bite the hand tha

he had 250 thousand clients?

[DragonTHC]

where do I get numbers like those? my client list is a bit smaller at the moment.

no one has mentioned capability

[fdisk3hs]

No one has mentioned the first thing I thought - why are we busting all these people without thinking of fixing the problem - the problem being people running software on their computers that allows them to be very easily hacked.

Sigh. No one blames Microsoft for releasing proven insecure software, even on machines that have No eXecute bits. Shit.

I've been using *nix or MacOS since 2000. I haven't even had to think about being hacked. The worst thing that happened was that I had an ftp se

OOM killer

[Schraegstrichpunkt]

250K should be enough for anyone.

Re:

[Secrity]

With time off for good behavior, it will be less than 30 months. He may even be able to get most of that as work release.

Re:White collar

[Dogtanian]

He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first.

Actually, I suspect that there's going to be a major perceived difference between someone who has simply hacked into others' computers in the past, and someone who has specifically exploited the trust of and targeted those who employed him to protect their PCs.

Would I trust a former black-hat hacker to protect my computers? Possibly. Would I trust someone who has specifically targeted and screwed over his clients in the past- the people who paid him good money to protect them from such behaviour? Would I fuck.

Re:

[SL Baur]

It almost seems like you're excusing his behavior, and blaming it on Microsoft.

Passwords should never be saved in plaintext. Clearly though, Microsoft is not the only one with criminally stupid behavior here because Mozilla/Firefox, Konqueror, Safari, etc. will do it too.

Both parties are guilty, and yes, I think any software product that stores passwords like that should be held guilty when that facility is exploited. To be sure, I am not including buffer overflows in that category. Human error is different from ignorance of history.

Password saving features, like ActiveX and Javas

Re:

[JohnFluxx]

Konqueror certainly does not keep passwords in plain text. It encrypts the passwords using kwallet - that's why the kwallet thing pops up asking for a password.

Re:

[SL Baur]

I'm not going to respond to the anonymous coward and for the record, my favorite browser is Konqueror.

For an automatic password thingie to work, it must store the passwords effectively as plain text. Please type password so I can automatically insert your password on this line? [ok]? I think not. That means that somewhere in the code path the password is in plain text or an encryption key is hardcoded into the binary.

Consider how he did this thing. He patched the binary to give access to the stored pas

Re:

[JohnFluxx]

> Please type password so I can automatically insert your password on this line? [ok]? I think not.

That is exactly what happens!

The first time that konqueror or kopete etc etc tries to access your passwords, kwallet pops up a dialog box and asks for the kwallet password. That password is then used to decrypt the password file.

You seem to understand kwallet from the last sentence though.

Re:

[pclminion]

He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first.

What kind of fucking lunatic would hire somebody who has PROVEN that he says he's one thing but is actually another?

Kevin Mitnick got job offers, but he never claimed to be a white-hat hacker in the first place. This situation is very different. This is a guy who said he was a security expert, who turned around and fucked people over. Anybody who hires this guy in the future for his security

Re:White collar

[MillionthMonkey]

What kind of fucking lunatic would hire somebody who has PROVEN that he says he's one thing but is actually another?

Oh you'd be surprised. This guy might have a bright future ahead of him in politics.

Re:

[Aladrin]

I dunno about 'is' being murdered, but you're doing a pretty good job on the English language.

Re:

[Sanat]

How about something like spending the rest of their lifetime in Athens, Ohio

And for the really bad ones... Youngstown, Ohio