Arizona Botnet Controller Draws 30-Month Federal Sentence 76
dgharmon writes with word from the BBC that "A U.S. hacker who sold access to thousands of hijacked home computers has been jailed for 30 months. Joshua Schichtel of Phoenix, Arizona, was sentenced for renting out more than 72,000 PCs that he had taken over using computer viruses." Time is cheap: Schichtel admitted to giving access to those 72,000 computers for $1500.
Re: (Score:2)
Hmmm (Score:3, Funny)
Should have incorporated his criminal enterprise into a bank. Then he wouldn't serve any time and the government would bail him out for business expenses. It's rather silly to commit individual crime when corporate crime pays more and there's usually no time served.
Re:Hmmm (Score:5, Informative)
It's rather silly to commit individual crime when corporate crime pays more and there's usually no time served.
White collar criminals do indeed go to jail.
Former Chairman and CEO of Kellogg, Brown & Root Inc. Sentenced to 30 Months in Prison for Foreign Bribery and Kickback Schemes [fbi.gov]
Former TBW CEO Sentenced to 40 Months in Prison for Fraud Scheme [fbi.gov]
Two Former Canopy Financial Co-Founders Sentenced to 15 and 13 Years in Prison for $75 Million Investment Fraud and Raiding $18 Million from Custodial Heath Care Expense Accounts of 1,600 Customers [fbi.gov]
Allen Stanford Convicted in Houston for Orchestrating $7 Billion Investment Fraud Scheme [fbi.gov]
Just a sample. Just search for "CEO" [fbi.gov] to see more. It's not hard to find other examples.
Re:Hmmm (Score:5, Insightful)
And yet not one of the CEOs responsible for the epic fraud that crashed the world economy in 2008 has even been arrested, let alone charged and tried.
Re:Hmmm (Score:4, Insightful)
On the other hand, you can raise funds from investors, buy up companies, bilk the assets as the companies sit neglected and die, the investors, and the emplyes all lose, thousands and jobs and homes and more, while the 'perpetrators' bilk off millions. And we call it 'business' and make it legal.
Re:Hmmm (Score:5, Informative)
And yet not one of the CEOs responsible for the epic fraud that crashed the world economy in 2008 has even been arrested, let alone charged and tried.
Some will go to jail.
Georgia banker gets 12-year sentence for fraud [housingwire.com]
Some will be at least inconvenienced.
SEC charges ex-Fannie, Freddie CEOs with fraud [dailyrepublic.com]
Unfortunately, the real cause of much of this is beyond the hand of the law:
How The Government Caused The Mortgage Crisis [businessinsider.com]
A sad story:
While Freddie & Fannie Spanked, Dodd Leered [melaniemorgan.com]
Re: (Score:1)
Re: (Score:3)
White collar criminals do indeed go to jail.
To improve the jails, they have to send better people there.
Re: (Score:2)
"White collar criminals do indeed go to jail."
White collar criminals go to white collar jail.
If they spend a little time at a run of the mill prison til a "unit" clears out , they spend it in "punk city" (protective custody) with the baby rapers and snitches.
To improve jails they should feed some white collar criminals to the G.P.(general population). It might even make some "college boys" think twice about real life and consequences. At the very least it would improve the G.P. protection games with a large
Re: (Score:2)
If one was able to quantify suffering, then I'm sure that the combined suffering caused by several billion dollars lost might well compare to the suffering caused by, say, a murder. Yet white collar criminals get relatively small sentences (if they're sentenced at all, as Hatta pointed out).
I can imagine that, at least for some, punishment may be seen as no more than a worthwhile price given the dividends (if they squirrel away the profits in time). And not being caught would be seen as a bonus.
Mod me fla
Re: (Score:2)
That's less than what you can get for pulling an armed robbery at a liquor store.
Great financial crimes are economic treason. Their perpetrators should be publicly executed by hanging.
Re: (Score:2)
minimum-security prison is no picnic. I have a client in there right now. He says the trick is: kick someone's ass the first day, or become someone's bitch. Then everything will be all right.
I'm pretty sure I heard that quote in a movie. What, no-one's delivering him crepes in bed now? Yeah, that's gotta be hell.
Re: (Score:1)
minimum-security prison is no picnic. I have a client in there right now. He says the trick is: kick someone's ass the first day, or become someone's bitch. Then everything will be all right.
I'm pretty sure I heard that quote in a movie. What, no-one's delivering him crepes in bed now? Yeah, that's gotta be hell.
If he's a pretty big buy, maybe someone is serving him creeps in bed instead!!!
Does anyone else see this as him getting off easy? (Score:1)
Just considering the personal information that could be stored on those machines and possibly accessed by someone with the intent of ID theft. It should have been a month for each machine compromised.
Re: (Score:3)
Just considering the personal information that could be stored on those machines and possibly accessed by someone with the intent of ID theft. It should have been a month for each machine compromised.
Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?
Re: (Score:2)
In fairness, this had nothing to do with identity theft. He literally just rented out time on a "stolen" supercomputer, of sorts.
Still doesn't make him less worthy of giving Grandma one free whack at him, but I wouldn't really consider him as all that bad, as that sort of scum goes.
Re: (Score:2)
I think the answer should be the same as in "Shall illegal arms dealer get charged with being accessory to murder/robbery/etc?" and I think legally it's a no.
I think, legally it should not be no. A getaway driver's just driving a car. He's not robbing the bank.
If he sold the weapon legally, he should be in the clear. There's no way he could have known what was going to be done with it. Illegaly, complicit.
Re: (Score:2)
I would have to say that, IMO, "intent" has a lot to do with my opinion of this - And don't get me wrong, I don't have any problem with the sentence he received.
Yes, you have it entirely correct that he could have caused more damage than he intended. I don't feel comfortable with law
Re: Technical Knowledge (Score:2)
Literally the other day, I decided to install Tor and browse around for the first time. Previously, I had also played with I2P. I am seriously confused given the availability and ease of use of these anonymous networks, and bitcoin for payment, especially with the availability of unsecured wireless networks, how the hell anyone gets caught for information/hacking related crimes.
Now if I were going to do something not involving physical stuff, staying sterile wrt the law would involve the following easy s
Re: (Score:1)
OR, just grab for the personal info, and take lists of credit card numbers to other countries south of the U.S. and sell a list of 5-6k cc numbers with names/addresses for $5k cash apiece.
So I've been told. Not that I've done anything like that.
Seriously though, if you got the skills, start on the other side. Get paid by the big corps to penetration test their networks. Use your skills and don't even worry about covering your tracks. This is a Much better approach.
Re: (Score:2)
Almost all enabling crimes require intent.
Having said this, I'm of the fairly unusual opinion that anyone who subjectively recklessly profits from someone with should be jointly liable. Put another way, if you accept a gain from someone who you think may be misbehaving, you accept the risk of loss too.
Re: (Score:2)
It more than an enabling crime. In order to have a botnet, he first had to infect all those machines with a virus that pointed to his command & control machine. That in itself is criminal.
And besides the ID theft considerations, there's also the millions of spam emails the botnet no doubt sent.
I'd personally like to punch him on the face. But on the scale of all possible crimes, it's still not very major.
Don't play devils advocate (Score:2)
To paraphrase Julia Robert's character in Erin Brockovich [imdb.com] (and Albert Finney's character's later retort): "Do they teach you how to play Devil's Advocate in your home town? Because you suck at it." He has 72,000 counts of violating the Computer Fraud and Abuse Act [wikipedia.org]. The ISP had zero counts. So no, the ISPs should not be liable for crimes they didn't commit, but
Re: (Score:2)
Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?
That's like claiming that pickpocketing should be legal, so long as you sell the stolen wallets without looking inside them. Just because he chose to not use the personal data he managed does not mean he did not have access to it, or knowingly provide access to it to other criminals.
Re: (Score:2)
Re: (Score:1)
NO!
What about the lives of the people that could have been compromised. Would that would be more than 18 minutes of their trouble? Your comment excludes the impact on those who could be personally affected. They should keep the case open for claims in the future as well. If one of the compromised people has their ID compromised, and it can be proved that it resulted from this guy there should be 72k more kicks to the rollers.
Re:Does anyone else see this as him getting off ea (Score:4)
Re: (Score:1)
18 minutes per compromised computer doesn't seem harsh to you?
Absolutely NOT! - One month minimum for each compromised computer PLUS one day for each spam mail those compromised computers sent out.
Yes, I know this means a sentence of many thousands of years... As this is a first time offense, I'll allow him to be eligible for parole when half the time is served. Serves him right and it'll keep him from repeating his crime.
Re: (Score:2)
Yeah! 18 minute is certainly long enough time to serve for committing a instance of felony unauthorized computer access, along with entering into a conspiracy for others to do that. 18 minutes is entirely reasonable for a felony+conspiracy to help others commit a felony.
Now, I have a few questions: What day is he getting out, does someone have a gun I can borrow, and is it 18 minutes for all felonies, or does it scale up to a few hours for each murder? Murder being a random example, that is. I'm, uh, wri
Re: (Score:2)
Yeah! 18 minute is certainly long enough time to serve for committing a instance of felony unauthorized computer access, along with entering into a conspiracy for others to do that. 18 minutes is entirely reasonable for a felony+conspiracy to help others commit a felony.
Now, I have a few questions: What day is he getting out, does someone have a gun I can borrow, and is it 18 minutes for all felonies, or does it scale up to a few hours for each murder? Murder being a random example, that is. I'm, uh, writing a book.
Anders Breivik got 21 years for murdering 77 people. So yeah, it apparently does scale up with severity of the crime.
Is this worth about 14 weeks to you?
PS -- make sure you do it in Norway.
Re: (Score:2)
The Breivik thing is mostly a myth. Apparently, in Norway, you can be kept in jail even after your sentence is up. So he's not getting out even after the 21 years are over.
This makes no sense to me, though.
Re: (Score:2)
This is how Daily Mail readers really think.
Re: (Score:2)
The missing point. (Score:3)
There is a demand for distributed computing. A general purpose SETI@home w/ internet access. If only the operating systems were secure enough to allow individuals to join such a network and give arbitrary control to strangers they could earn a small profit by selling some amount of their unused bandwidth and CPU power. We could actually monetize all our idle CPUs and unreached bandwidth caps. A more sandboxed solution -- like the aforementioned SETI or Folding@Home, etc -- could be marketed by legitimate businesses. It seems a logical conclusion given our need for always on home (media/status) servers to stream our digital properties to us, and the success of "cloud computing".
Unfortunately the law is also not on our side: What if a client uses your Cloud@Home 'server' to download and redistribute "illegal" material? (The same as if a bot-net operator directs your machine to do so today.) We need to address the issue of identity (IPaddr != person) if my distributed machine intelligence system is ever to make the Internet self aware... So long as we would pay it enough to solve hard problems it could pay for it's own distributed computing rent.
With the state of computer security being utterly insecure at nearly every juncture, and our unwillingness to fix the legal risk of us meeting the demand for affordable distributed computing, I think it's only natural that such is done illegally. Do you really want the first global sentient machine intelligence to be a rogue bot-net system? That will surely escalate to (cyber) war. I'd much rather have it be a peaceful, profitable and legal entity. Sadly we'll have the lawyers and lawmakers to blame for bringing about the first man vs machine war.
I could have posted this to the freedom of speach vs child porn story as well. [slashdot.org]
Re: (Score:2)
Re: (Score:2)
Shouldn't DMCA safe harbor provisions kick in? A business run from your living room is still a business, and renting out CPU time on a sandboxed VM ought to count as being an "online service provider".
Re: (Score:2)
I'm not sure there is any demand for that, to be honest. The supply has already been fulfilled by things like EC2 and GCE.
Re: (Score:3)
With the state of computer security being utterly insecure at nearly every juncture, and our unwillingness to fix the legal risk of us meeting the demand for affordable distributed computing, I think it's only natural that such is done illegally.
Hyperbole much? Sue the pants off Microsoft for selling easily p0wned software, or sue the average computer user for not being knowledgable enough to use it.
Should they require an Internet driver's licence? No thanks, very much.
I run (so far) secure FLOSS boxes. Don't blame me for the state of computer security. I don't need any more laws to protect me, as if they could. The vast majority of what's wrong with computer security as it relates to botnets can firmly be placed at Bill Gates and Steve Balmer
Re: (Score:2)
...Off for snitching I bet
Perhaps s/he was a LEO, doing his/her job, or a LEO who bought into the scheme and subsequently woke up.
They should notify all the infected people (Score:2)
They should notify all the infected people and also make sure they understand what a firewall is etc. and not totr ust the Mictrosoft one.
I know many people that just have a windows PC plugged straight into their cable modem (i.e. not even NAT happening) and think its gonna be OK.
Re: (Score:2)
They should
Who's "they"? Are you volonteeering to teach 72 000 people, most of whom don't even know how to use Windows update, what a firewall is?
Re: (Score:2)
'They' are the government. me? no. The internet has become fundamental to everything including business and commerce, so has become key infrastructure. Therefore the government need to defend it. The best way is to inform people of the basics of security at least. it needs to be a government initiative.
He was on their radar previously in 2004 (Score:1)
According to the BBC article, the initial charges were dropped due to a technicality (i.e. indictiment was filed too late, whatever that means).
So chances are he knew that he was being watched and slipped up.
It's interesting that 72,000 boxes were used for one package. Doesn't mean that the machines under his control were "just" those. If someone wants to generate a certain amount volume (e.g. traffic for a DoS, SPAM, etc) probably 72k machines will suffice.
This is nothing was the Russian-based botnets [h-online.com] o
Wait, wait, wait (Score:3)
Unauthorized access of a computer is a felony. (Doing that for the purpose of selling someone else access like that is probably an additional felony, it looks roughly like conspiracy to me. But let's ignore that.) That is, every single authorized access is a felony.
This guy got 30 months for committing 72000 felonies?
I know jail time doesn't necessarily 'stack', and that unauthorized computer access is one of the lower-class of felonies, and probably supposed to only be a year in jail at most.
But, still, this is completely absurd. That sentence is 18 minutes per felony.
Malware and computer hijacking, is basically the legal equivalent of carpeting a football stadium of people with tear gas. If you did that, you'd be charged with tens of thousands of instances of basic assault (A crime which is roughly in the same ballpark, legally, as unauthorized computer access.) and end up in jail almost forever.
But somehow unauthorized computer access, despite being something that each individual instance is supposed to result in (at least) months in jail, and which does result in months in jail when it's against the wrong person, aka, a big corporation...somehow all that just goes away if you do it against enough people at once via malware.
If I invented a robot that went around stealing from 72000 stores, they wouldn't just laugh and give me the equivalent of five counts of shoplifting in jail time. If I kill twenty people at once, they don't just laugh and say 'Oh, that was really just one instance, let's sentence him for, oh, two murders, that seems fair.'
72000 felonies.
And let's not forget, these have actual victims. Here's a fun question: Would you rather be punched in the face once (Basic assault), or have to reinstall your entire computer? (And, as only 25% of the population has any sort of backup at all, let's pretend you'd lose 75% of your stuff.)
Yeah, I thought so. There's a reason we actually made the law the way we made it, where those two are within the same order of magnitude as crimes. The courts, OTOH, seem to think that some guy hacking a computer server of a powerful company (Which is one computer and hence one felony.) is much much worse than someone hijacking 72000 human-owned computers.