Confessed Botnet Master Is a Security Professional 278
An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."
BURN HIM! (Score:5, Interesting)
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.
Re:BURN HIM! (Score:5, Interesting)
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment.
Well, the US prosecutor could just allege that he's capable of starting World War III if given an opportunity to whistle into a telephone to get him thrown into solitary confinement. It might even be more believable than the last time they used it successfully.
In all seriousness... (Score:5, Insightful)
From TFA:
From your comment:
In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for. Yes, this guy has probably caused a lot of damage. Should we convict him on the "probably"? No. Get some real, hard evidence, then do something. Preferably, do something useful, like show him how much damage he caused, and introduce him to the people who's lives he messed up, rather than just taking revenge on him. People who do that (namely, most of the so-called justice system) are part of the problem that makes this a dog-eat-dog world, not part of the solution.
Re: (Score:3, Informative)
In all seriousness, it's a really bad idea to suggest that being capable of something, or representing a threat, is enough to punish someone for.
Yeah, I'm not sure why I'm getting Funny mods for referencing the treatment of Kevin Mitnick either.
How do you propose to do that? (Score:3, Interesting)
Actually, here's a fun thought:
1. The people in prisons score on the average over 20 on the antisocial personality disorder scale, which is to say you have a spectrum ranging from borderline sociopathic to outright psychopaths. A normal person scores 2-3.
2. There is no known way to turn a sociopath into a normal person. Trying to psychanalyze them just teaches them to fake the answers that will hide their callousness better.
3. Showing one the damage he's done and the people whose life he's destroyed... does
Re:BURN HIM! (Score:5, Interesting)
you were modded troll probably because many of the It security guys here don't want to be lynched when they get caught for their dirty deeds.
I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.
Re: (Score:3, Interesting)
Maybe public stockades in some alley in San Fransisco. For 5 nights.
Re: (Score:2)
Re: (Score:2, Funny)
Re:BURN HIM! (Score:5, Funny)
no a small netgear 8 port router with all the cables plugged in we 8 ports + 1wan = cat-o-9 tails :D
Re:BURN HIM! (Score:5, Funny)
Re:BURN HIM! (Score:4, Funny)
What is reminding him of high-school supposed to achieve?
Devine Comedy (Score:4, Insightful)
Well he's already on path for the 8th or 9th circle of hell. [wikipedia.org]
8th Circle:
Bolgia 8: Fraudulent advisors are encased in individual flames.
9th Circle:
Round 2: Antenora is named for Antenor of Troy, who according to medieval tradition betrayed his city to the Greeks. Traitors to political entities, such as party, city, or country, are located here.
Re:Devine Comedy (Score:5, Insightful)
BANKSTER wannabe (Score:5, Funny)
He should have worked in finance. There it's expected for you to loot the company safe and walk away with billions of dollars. Leaving a burning building behind you taxpayers footing the bill for cleaning it up is absolutely expected. Big career path mistake on his part. Perhaps while in prison he can study for his MBA and open a hedge fund on release.
Re: (Score:3, Insightful)
If I had to points I'd mod you insightful.
Re: (Score:2, Funny)
I just did. I still don't believe why people like Richard Fuld and Bernard Madoff aren't in prisons yet. If people like those can be forgiven, then almost any criminal can be forgiven, save murderers.
Re:BANKSTER wannabe (Score:5, Funny)
Slashdotters have alts?
What, were you bored with your original account and decided to roll a shammy?
This should come as no surprise (Score:5, Insightful)
Not everyone can create a botnet. There's some skill involved and you have to know details about vulnerabilities and how to exploit them.
Did you expect him to be a shoe salesman?
This is like that guy from the Gaming Control board that was cheating slots [pokertv.com].
Re:This should come as no surprise (Score:4, Insightful)
Re:This should come as no surprise (Score:5, Funny)
I'm sure every shoe salesman reading this knows exactly what you're on about.
It might be slightly trickier than that (Score:5, Interesting)
Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.
Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.
So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.
Now you still do not have a botnet, still far from it but closer.
No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.
And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.
That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.
Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?
Now, you still do not have a botnet!
For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?
And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.
But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.
Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.
Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are
Re: (Score:3, Interesting)
You know what it takes to create a botnet? Throwing a torrent up on thepiratebay.org something along the lines of "Windows XP SP3 Corporate Edit
It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
I think the surprise doesn't come from the fact it was a security guy, but the idea that someone like a lot of slashdotters is that capable of hurting others. Outside of the money and women, part of what we do as IT is helping and protecting people in the wild west that is networks. The fact a "good guy" could be bad is an extra sucker punch because a lot of folks here deep down probably wouldn't do that, and would have a tough time associating with the reasons why.
Idealistic, eh? Still, sucks when John Wayne saves the girl only to go rob the bank one town over.
-Matt
Re:It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
I wouldn't be surprised to find that most people are not too far away from the Office Space mentality: Having something to lose, fear of punishment and lack of opportunities seem to be the only barriers. Why do you think Russia is teeming with black hats? Those are intelligent people who have little to lose and much to gain by joining the dark side.
Ethics is a team sport. We're not all heroes who do the right thing no matter what is being done to us. The hero or one-man-army image of security professionals should fade away. It's a delusion. People of all ranks and professions have it in them, as you should have noticed in the recent months. You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.
Re: (Score:3, Funny)
You have to account for people going rogue. Redundancy, verification and limited power are the way to security, not hiring a wizard.
Why not multiclass? You get the dex bonus to armor and all the other benefits of both classes!
Re:It's not shoe salesman vs IT, it's "one of us" (Score:4, Informative)
Make a lot of money, Keep it Legal, Like your Job. Pick TWO.
Re:It's not shoe salesman vs IT, it's "one of us" (Score:5, Insightful)
"Good? Bad? I'm the one with the gun." - Ash, Army of Darkness
What do you mean, "one of us"? A common thief? An opportunistic prick who capitalizes on the ignorance of others? A coward, afraid to face the consequences of his actions? A foolish asshole who thought he would never get caught? None of those describe me (and I suspect not you either).
Oh.. You mean he works in the IT department? That doesn't make him a "good" guy. In this country any asshole has the same opportunities as you or I. Its what we make of those opportunities that defines us.
There is nothing inherently noble about working in IT.
Re: (Score:3, Interesting)
think about it. it's job security.
specifically code a flaw in the code that's hard to find. a few months later, sell out the exploit. go back to the client and say "wow, these guys are smart, i didn't even think they could do that." then make more money fixing the flaw.
lather, rinse, repeat, and most importnatly in these troubled economic times, stay in business.
it's like a window company driving around at night and putting bricks through shop windows.
No, I expected him to be a securities manager (Score:2)
...or maybe that will be his new career. They could use a man of his honesty in that field.
Re: (Score:3, Insightful)
No, but I'd expect him to know the repercussions of what he was doing, based upon his job. We hold people to higher standards in professional careers. A fireman that is an arsonist (okay, a criminal one, every fireman is a pyromaniac), or a Policeman that robs banks deserve much higher sentences for violating the public trust.
Devil's advocacy... (Score:3, Interesting)
Indeed. Many moons ago (back in the early 1980s, when "IBM PCs" were still new and beginning to be affordable) I was a security consultant to a certain large technology company not far west of London. Part of my brief was to write aggressive self-replicating routines in an attempt to disrupt crackers' activities. Thus I might claim credit for a few of the earliest viruses, but that's not really my point,
"in last 2007" (Score:5, Funny)
As opposed to the 2007 before that?
Re: (Score:3, Insightful)
2007 BCE?
Re: (Score:2)
Re: (Score:2)
Last 15 bank passwords (Score:2)
Bank passwords. Don't they teach people how to parse sentences any more?
How long does sentancing take? (Score:2)
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
Read the article, not the summary.
Disgraceful (Score:4, Insightful)
Re: (Score:3, Interesting)
Why? ANYONE with a working brain can become a security professional. You are not in any way responsible for his actions (or for the actions of any other security professional), but by saying you feel 'ashamed' for his actions you suggest you somehow are (and that security professionals are incapable of independent thought...). Why do you feel shame?
Re:Disgraceful (Score:5, Informative)
I am in the field, and I'm not ashamed for, but fuckin' angry at him.
I keep talking 'til I turn blue to squelch the rumors that AV researchers spread malware themselves to have a reason to exist, we get that crap anyway. We try to hunt down asshats like that guy. And then, usually when you finally got at least part of the population to believe that you're actually out to help them, someone like him comes along and ruins it. For all of us. Try to build up trust when you hear that the person that claimed to help you actually was the one that infected you!
I am, quite bluntly, insanely pissed at the guy.
I miss the old days (Score:5, Insightful)
Their culprit would turn out to be a pimple-faced highschool kid dialing in with his VIC-Modem and Commodore 64, and then he'd maybe even get a drudging job offer. Nowadays the job offer part comes first.
Re: (Score:3, Insightful)
Only because nobody in the field touches a known criminal with a 10 foot pole anymore. You may rest assured that he's out of the biz for good now.
Unfortunately there are crooks in every field. You have firemen starting fires. You have cops breaking laws. And they're usually also harder to catch because they know exactly how the deal works, what to watch out for, how to do it to leave no usable tracks, etc.
At least I can find my peace in the fact that it's not swept under the rug in our biz.
the past 15?!? (Score:5, Funny)
Oh my God! Only the past 15?!? I've already spent the past 120 perusing slashdot.
Hint: qualifiers matter.
Being sexually abused is a mitigating factor? (Score:4, Insightful)
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
Bastard... (Score:2, Funny)
Two of my friends were gang-raped by botnets.
Re:Being sexually abused is a mitigating factor? (Score:4, Insightful)
Riiight, because most victims of sexual abuse go and create botnets to steal bank passwords. Disingenuous much?
No, but they do engage in self destructive behavior such as substance abuse, addiction and crime.
(not an excuse).
Re:Being sexually abused is a mitigating factor? (Score:5, Funny)
His future is going to look a lot like his past, then.
Re: (Score:2)
People suffering from real PTSD dont hold jobs and they certainly dont sit around writing botnet code. If you really have PTSD or mental trauma from abuse youre not very functional. This guy is pissing in the eye of people with real mental health issues for a lame sympathy vote for the jury.
>substance abuse problem
Ditto for this. Ive known a couple real addicts. People who deserve some sympathy for their mindless actions. None of them were as remotely functional as this guy.
This guy is just an old fashio
Re: (Score:2, Insightful)
Sexual abuse victims are more likely to commit murder (of their abuser) or sexually abuse others. I'm fairly certain that they aren't any more likely than you or me to create a botnet.
Jail him. Now. (Score:4, Interesting)
There should be 250,000 litigants, one each for the number of botted machines out there filing suit against him in addition to being behind bars with his hands cuffed (can one type in cuffs? might be interesting).
This guy is a poster boy for how due process ought to work for computer criminals. The trust factor should be zero. This isn't a hero, this is a master thief.
Re: (Score:2)
> Garrett-117
What's the Half-Life of that isotope?
Re: (Score:2)
15 months, not years (Score:5, Informative)
Re: (Score:2)
Did any other botnet operator learn anything from him?
Did he disrupt the progress of networking and technology and banking by forcing resources to be diverted to preventing his sort of crime?
Is he wasting my time by being infamous enough to get my attention on slashdot?
He is not benign.
Re: (Score:3, Insightful)
And the lenient sentencing is because he ultimately did not cause much damage.
What? Have you not heeded the cries of your fellow Slashdotters!? Lynch him! Draw him! Quarter him! Then hang his quarters separately!! Stealing bank passwords is so much worse than murder, rape or treason!
Glad we have editors here... (Score:2, Insightful)
A note to the editors... (Score:2)
Re: (Score:2, Insightful)
Fail!
insanity defense .. (Score:5, Funny)
Re: (Score:2)
Would anyone ever suspect a security "professional" at work of administering a botnet from there? I would call it an extremely efficient disguise.
Five years? (Score:4, Insightful)
Re: (Score:2, Insightful)
Problem with our legal system is that it has disparaging sentences. This turns out to be cruel and unusual punishment. We have people who kill others and go to jail for a couple of years...then we have people who rob banks who go to jail for a decade (plus extra time for each illegal weapon/ammunition even if a shot was never fired) and then we expect computer hackers (while malicious, didn't kill anyone) go
Re: (Score:2)
I have to agree. 5 years per offense seems reasonable. You hack a computer you get 5 years in jail. You hack 250,000 you get 1.25 million years in jail.
Re: (Score:2)
This is merely a case of someone breaking and entering 250,000 times as well as attempting bank fraud on each of his victims.. the guy should get a misdemeanor and do 20 hours community service.
he should know better indeed (Score:2)
This summary hurts my brain... last 2007 and the past 15? Really?
From your Friendly Security Professional (Score:5, Funny)
My professional opinion is that Internet Explorer is a fast, reliable, and safe web browsing platform.
Also, make sure ActiveX is turned on. It's important for your safety.
Title is wrong. (Score:2)
It should read,
Make him learn a real trade (Score:2)
While he's in prison, make him learn a new trade. Maybe by using one of those internet colleges. He couldn't cause trouble doing that.
You don't say! (Score:2)
Hear that sound? (Score:4, Insightful)
70 years for MacKinnon? (Score:5, Interesting)
Re: (Score:2)
No, the lesson is, you shall not fuck with the military. They are in the habit of hurting back. It doesn't help that the military is generally in the habit of hurting foreigners and MacKinnon is a foreigner.
I mean really, if you tried to hack into the Russian Army's or Chinese PLA's databases, what do you think would happen to you if they could get their hands on you, or even if they couldn't (read: ricin)?
Linkedin Profle? (Score:2, Informative)
Is the the same guy whose linkedin profile is here:
http://www.linkedin.com/ppl/webprofile?action=vmi&id=12553940&authToken=bUKc&authType=name&trk=ppro_viewmore&lnk=vw_pprofile
I'd start using a middle name if I had the same first and last names and was employed in the same city as this guy.
Doesn't speak well for his employers' due diligence either....
Fixed it (Score:3, Funny)
"Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.
How the tables turn. Now it's Schiefer who's going to be told, "You're my bitch now, I claimed it".
-[d]-
holy mangled syntax, batman! (Score:5, Funny)
"John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing.
Even worse, I hear the submitter has been working the past 15 months as a professor of English language while awaiting sentencing for negligent grammarcide.
Re:Proofreading? What's that? :p (Score:4, Funny)
A little professionalism, please? KTHXBYE
I don't even know what to do with that...
Re: (Score:3, Funny)
consultant who in last 2007 ...
As opposed to the 2007 before that? Or next 2007?
Re:Substantial Threat to Society? (Score:5, Interesting)
What about the woman that gets raped on the street? Isn't she partly responsible for the rapists behavior?
Come on people, quit blaming the victim; especially when the victim is an average person (as is evidence by the sheer size that many botnets reach).
Re:Substantial Threat to Society? (Score:5, Funny)
According to /. logic, if she didn't want to be raped, she should have closed her ports.
Re: (Score:3, Funny)
To further this analogy, here is the clothing that was designed by microsoft to protect her from all external access. [feelpretty.com] NSFW... :D
Re:Substantial Threat to Society? (Score:5, Insightful)
Depends on who you ask. If you're asking a socially conservative, self-righteous "virtuous" woman, she might say "yes", it's the girl fault. We know there are countries where people are like that. On Slashdot, if you ask a bunch of condescending techies about being a victim of a cyber crime, there's a good possibility that some of the people will blame the victim. I'm not saying that they're right but simply their perspective is narrower and maybe even biased. Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
Re:Substantial Threat to Society? (Score:4, Insightful)
Personally, counting on people for reasonable, correct behavior is a fool's hope and failing to account for people's tendency to act less than reasonable is a weakness in any security system or protocol.
The difference between meatspace crimes and internet crimes is the level of risk.
You can get away with less security in the real world,
because the level of risk to commit crimes is much higher.
Online, the risk is lower and in response, your level of security should be much higher.
Re: (Score:3, Funny)
You really want a rape analogy? (Score:2)
The analogy just doesn't work. When you look at how someone becomes part of a botnet, it's often a Windows user choosing to execute something. It's social, not technical, not force.
The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps o
Re:You really want a rape analogy? (Score:5, Insightful)
The closes I can get to a rape analogy is that a woman seeks out a man, asks him for sex, does the deed, and then the next morning decides he wasn't the guy she was looking for. He was supposed to be a pretty screensaver, and instead turned out to be a spambot. There he is, in her bedroom, writing letters and taking stamps out of her desk.
No, the anology here would be: A woman asks out what seems to be a nice man for dinner. At dinner he slips a roofy into her drink, drags her back to the car and rapes her. The next morning she knows that something is wrong, but can't remember a thing and so doesn't properly report it or deal with the consequences.
Re:You really want a rape analogy? (Score:5, Funny)
I'd view it more like raping someone with learning difficulties. Windows boxes often just don't have the capacity to say no or understand that what their doing might be wrong, they just lack that sort of basic awareness.
So it's more a case of someone asks a nice man for a lollipop but due to using Windows they can't tell if the man is really nice or indeed if that's really a lollipop.
Re: (Score:2)
Leaving the (IMO bad) rape analogy aside, I would say it is partly the victims fault. The average person doesn't want to take the time to learn a few things about basic computer security, and this creates a breeding ground for botnets. Conflicker originally spre
Re: (Score:3, Interesting)
Re:Substantial Threat to Society? (Score:5, Interesting)
What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?
Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.
Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.
Just because someone didn't patch their computer doesn't mean it's OK to exploit those vulnerabilities. It's a weak point in the computer's security, not an open invitation. Are you suggesting that it's OK to break into someone's house because the windows are fragile?
Creating a botnet from zombied computers is no trivial act. Simply exploiting a vulnerability takes some time and effort. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.
Re: (Score:2)
well eventually we'll roll over the googleplex counter for years...
Re:Smart People (Score:5, Insightful)
The only person that can be blamed is him. Not his parents, not the school, not society.
No one put a gun to his head and made him hack. Take some responsibility.
Ridiculous.
Re: (Score:2)
Um. "Lack of intellectual outlet" is no reason to break into a school computer. Why didn't you and your buddies set up computers for each other to break into?
Or maybe it's more the "thrill" that people are looking for, and we like to attribute it to "intellect" because that sounds much less criminal and much less evil/wrong. We don't like being "wrong."
Re: (Score:3, Interesting)
What a load of crap.
They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.
Yeah, if only this guy had lived in a world where it's OK to steal from other people's bank accounts. That would be a great world, wouldn't it? Just think how much would get done if nobody could trust a bank! Why, it would be a grand new society! And people who desparately need the "outlet" of ste
Re: (Score:2)
e engineer in all of us is going to go "What caused this? how can we fix it?". I don't know. Part of me wants to blame the schools.
Not really. I blame him. He's the only one responsible for the decisions he has made.
Re: (Score:2)
They guy is a painter that lives in a world where paint has been banned.
Since when has paint been banned? It's illegal to hack others' systems, yes. Likewise, it's illegal to break into other people's houses, etc.
It's not illegal to break into your own systems, uncover vulnerabilities, etc. While I suspect at least someone will claim you can be sued or go to jail for finding software vulnerabilities, people do it all the time. They're computer security researchers. (Some of them even have their own botnets, but not using others' machines -- that is beyond the hobbyist level of
Don't insult our intelligence... (Score:4, Informative)
This comes from highly intelligent people not having an outlet for their intelligence.
Say *what*?
You're insulting all the smart people who found an outlet for their intelligence, especially those of us with spotty academic records who somehow managed to avoid turning into criminal bullies. Maybe it's not "society's fault" after all?
Re: (Score:2)