Forgot your password?
typodupeerror
Botnet The Courts Crime

Arizona Botnet Controller Draws 30-Month Federal Sentence 76

Posted by timothy
from the such-a-sweet-boy dept.
dgharmon writes with word from the BBC that "A U.S. hacker who sold access to thousands of hijacked home computers has been jailed for 30 months. Joshua Schichtel of Phoenix, Arizona, was sentenced for renting out more than 72,000 PCs that he had taken over using computer viruses." Time is cheap: Schichtel admitted to giving access to those 72,000 computers for $1500.
This discussion has been archived. No new comments can be posted.

Arizona Botnet Controller Draws 30-Month Federal Sentence

Comments Filter:
  • Hmmm (Score:3, Funny)

    by girlintraining (1395911) on Sunday September 09, 2012 @05:40PM (#41283015)

    Should have incorporated his criminal enterprise into a bank. Then he wouldn't serve any time and the government would bail him out for business expenses. It's rather silly to commit individual crime when corporate crime pays more and there's usually no time served.

    • Re:Hmmm (Score:5, Informative)

      by cold fjord (826450) on Sunday September 09, 2012 @06:05PM (#41283175)

      It's rather silly to commit individual crime when corporate crime pays more and there's usually no time served.

      White collar criminals do indeed go to jail.

      Former Chairman and CEO of Kellogg, Brown & Root Inc. Sentenced to 30 Months in Prison for Foreign Bribery and Kickback Schemes [fbi.gov]

      WASHINGTON—Albert “Jack” Stanley, a former chairman and chief executive officer of Kellogg, Brown & Root Inc. (KBR), was sentenced today to 30 months in prison for conspiring to violate the Foreign Corrupt Practices Act (FCPA) by participating in a decade-long scheme to bribe Nigerian government officials to obtain engineering, procurement and construction (EPC) contracts and for conspiring to commit mail and wire fraud as part of a separate kickback scheme, the Justice Department’s Criminal Division today announced.

      Former TBW CEO Sentenced to 40 Months in Prison for Fraud Scheme [fbi.gov]

      WASHINGTON—The former chief executive officer (CEO) of Taylor, Bean & Whitaker (TBW) was sentenced today to 40 months in prison for his role in a more than $2.9 billion fraud scheme that contributed to the failure of TBW. At one time, TBW was one of the largest privately held mortgage lending companies in the United States.

      Two Former Canopy Financial Co-Founders Sentenced to 15 and 13 Years in Prison for $75 Million Investment Fraud and Raiding $18 Million from Custodial Heath Care Expense Accounts of 1,600 Customers [fbi.gov]

      Allen Stanford Convicted in Houston for Orchestrating $7 Billion Investment Fraud Scheme [fbi.gov]

      WASHINGTON—A Houston federal jury today convicted Robert Allen Stanford, the former board of directors chairman of Stanford International Bank (SIB), for orchestrating a 20-year investment fraud scheme in which he misappropriated $7 billion from SIB to finance his personal businesses.

      On June 14, 2012, Robert Allen Stanford, the former Chairman of Stanford International Bank (SIB), was sentenced to 110 years in prison for orchestrating a 20 year investment fraud scheme in which he misappropriated $7 billion from SIB to finance his personal businesses and lifestyle. -- United States v. Robert Allen Stanford et al. [justice.gov]
       

      Just a sample. Just search for "CEO" [fbi.gov] to see more. It's not hard to find other examples.

      • Re:Hmmm (Score:5, Insightful)

        by Hatta (162192) on Sunday September 09, 2012 @06:22PM (#41283285) Journal

        And yet not one of the CEOs responsible for the epic fraud that crashed the world economy in 2008 has even been arrested, let alone charged and tried.

        • Re:Hmmm (Score:4, Insightful)

          by wbr1 (2538558) on Sunday September 09, 2012 @06:28PM (#41283323)
          Typical. In Virginia, the low end for Grand Larceny is $200. You can spent 20 years in prison for picking up someones netbook.
          On the other hand, you can raise funds from investors, buy up companies, bilk the assets as the companies sit neglected and die, the investors, and the emplyes all lose, thousands and jobs and homes and more, while the 'perpetrators' bilk off millions. And we call it 'business' and make it legal.
        • Re:Hmmm (Score:5, Informative)

          by cold fjord (826450) on Sunday September 09, 2012 @08:34PM (#41283971)

          And yet not one of the CEOs responsible for the epic fraud that crashed the world economy in 2008 has even been arrested, let alone charged and tried.

          Some will go to jail.

          Georgia banker gets 12-year sentence for fraud [housingwire.com]

          Mark Conner, former president of the failed FirstCity Bank in Georgia, was sentenced to 12 years in prison and ordered to pay $19.5 million in restitution for his part in several schemes that sunk his and at least 10 other banks.

          Conner served in several top positions at the bank between 2004 and 2009. While there, he lied to the bank's board and loan committee for approvals on multimillion-dollar commercial loans to borrowers who were only using the money to buy property Conner and his co-conspirators owned, according to court documents.

          He even duped at least 10 other federally insured banks to invest in the fraudulent loans. This way, Conner scammed at least $7 million for himself while shifting the risk to these other firms that eventually failed.

          As the financial crisis struck, Conner then tried to unload FirstCity nonperforming loans and foreclosed homes to straw buyers, who were taking out loans from Conner to buy the assets. He then tried unsuccessfully to get a $6 million bailout from the Troubled Asset Relief Program.

          Some will be at least inconvenienced.

          SEC charges ex-Fannie, Freddie CEOs with fraud [dailyrepublic.com]

          WASHINGTON — Two former CEOs at mortgage giants Fannie Mae and Freddie Mac on Friday became the highest-profile individuals to be charged in connection with the 2008 financial crisis.

          In a lawsuit filed in New York, the Securities and Exchange Commission brought civil fraud charges against six former executives at the two firms, including former Fannie CEO Daniel Mudd and former Freddie CEO Richard Syron.. . . .

          Unfortunately, the real cause of much of this is beyond the hand of the law:

          How The Government Caused The Mortgage Crisis [businessinsider.com]

          A sad story:

          While Freddie & Fannie Spanked, Dodd Leered [melaniemorgan.com]

          • by AK Marc (707885)
            The housing crisis was caused by the derivatives, and nothing more. All the talk about Fannie Mae and subprime loans are all a smokescreen by the rich white male bankers that caused the crisis, turning it into a class/race issue (all those blacks Fannie Mae loaned to, and all those subprime borrowers who defaulted at no more than historical rates). Needless to say, there was no mention of the prime loans defaulting, or the fact that it took only a few subprime defaults to collapse the derivatives (yes, so
      • by Sulphur (1548251)

        White collar criminals do indeed go to jail.

        To improve the jails, they have to send better people there.

        • by flyneye (84093)

          "White collar criminals do indeed go to jail."

          White collar criminals go to white collar jail.
          If they spend a little time at a run of the mill prison til a "unit" clears out , they spend it in "punk city" (protective custody) with the baby rapers and snitches.
          To improve jails they should feed some white collar criminals to the G.P.(general population). It might even make some "college boys" think twice about real life and consequences. At the very least it would improve the G.P. protection games with a large

      • If one was able to quantify suffering, then I'm sure that the combined suffering caused by several billion dollars lost might well compare to the suffering caused by, say, a murder. Yet white collar criminals get relatively small sentences (if they're sentenced at all, as Hatta pointed out).

        I can imagine that, at least for some, punishment may be seen as no more than a worthwhile price given the dividends (if they squirrel away the profits in time). And not being caught would be seen as a bonus.

        Mod me fla

      • by couchslug (175151)

        That's less than what you can get for pulling an armed robbery at a liquor store.

        Great financial crimes are economic treason. Their perpetrators should be publicly executed by hanging.

  • Just considering the personal information that could be stored on those machines and possibly accessed by someone with the intent of ID theft. It should have been a month for each machine compromised.

    • by Meshach (578918)

      Just considering the personal information that could be stored on those machines and possibly accessed by someone with the intent of ID theft. It should have been a month for each machine compromised.

      Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?

      • by pla (258480)
        Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?

        In fairness, this had nothing to do with identity theft. He literally just rented out time on a "stolen" supercomputer, of sorts.

        Still doesn't make him less worthy of giving Grandma one free whack at him, but I wouldn't really consider him as all that bad, as that sort of scum goes.
      • Almost all enabling crimes require intent.

        Having said this, I'm of the fairly unusual opinion that anyone who subjectively recklessly profits from someone with should be jointly liable. Put another way, if you accept a gain from someone who you think may be misbehaving, you accept the risk of loss too.

        • It more than an enabling crime. In order to have a botnet, he first had to infect all those machines with a virus that pointed to his command & control machine. That in itself is criminal.

          And besides the ID theft considerations, there's also the millions of spam emails the botnet no doubt sent.

          I'd personally like to punch him on the face. But on the scale of all possible crimes, it's still not very major.

      • "Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?"

        To paraphrase Julia Robert's character in Erin Brockovich [imdb.com] (and Albert Finney's character's later retort): "Do they teach you how to play Devil's Advocate in your home town? Because you suck at it." He has 72,000 counts of violating the Computer Fraud and Abuse Act [wikipedia.org]. The ISP had zero counts. So no, the ISPs should not be liable for crimes they didn't commit, but

      • by AK Marc (707885)

        Playing devil's advocate but he did not access the personal information, he provided access. Should an ISP be liable for their customer's actions?

        That's like claiming that pickpocketing should be legal, so long as you sell the stolen wallets without looking inside them. Just because he chose to not use the personal data he managed does not mean he did not have access to it, or knowingly provide access to it to other criminals.

    • by Shavano (2541114)
      18 minutes per compromised computer doesn't seem harsh to you?
      • NO!

        What about the lives of the people that could have been compromised. Would that would be more than 18 minutes of their trouble? Your comment excludes the impact on those who could be personally affected. They should keep the case open for claims in the future as well. If one of the compromised people has their ID compromised, and it can be proved that it resulted from this guy there should be 72k more kicks to the rollers.

      • by xenobyte (446878)

        18 minutes per compromised computer doesn't seem harsh to you?

        Absolutely NOT! - One month minimum for each compromised computer PLUS one day for each spam mail those compromised computers sent out.

        Yes, I know this means a sentence of many thousands of years... As this is a first time offense, I'll allow him to be eligible for parole when half the time is served. Serves him right and it'll keep him from repeating his crime.

      • by DavidTC (10147)

        Yeah! 18 minute is certainly long enough time to serve for committing a instance of felony unauthorized computer access, along with entering into a conspiracy for others to do that. 18 minutes is entirely reasonable for a felony+conspiracy to help others commit a felony.

        Now, I have a few questions: What day is he getting out, does someone have a gun I can borrow, and is it 18 minutes for all felonies, or does it scale up to a few hours for each murder? Murder being a random example, that is. I'm, uh, wri

        • by Shavano (2541114)

          Yeah! 18 minute is certainly long enough time to serve for committing a instance of felony unauthorized computer access, along with entering into a conspiracy for others to do that. 18 minutes is entirely reasonable for a felony+conspiracy to help others commit a felony.

          Now, I have a few questions: What day is he getting out, does someone have a gun I can borrow, and is it 18 minutes for all felonies, or does it scale up to a few hours for each murder? Murder being a random example, that is. I'm, uh, writing a book.

          Anders Breivik got 21 years for murdering 77 people. So yeah, it apparently does scale up with severity of the crime.

          Is this worth about 14 weeks to you?

          PS -- make sure you do it in Norway.

          • by DavidTC (10147)

            The Breivik thing is mostly a myth. Apparently, in Norway, you can be kept in jail even after your sentence is up. So he's not getting out even after the 21 years are over.

            This makes no sense to me, though.

  • There is a demand for distributed computing. A general purpose SETI@home w/ internet access. If only the operating systems were secure enough to allow individuals to join such a network and give arbitrary control to strangers they could earn a small profit by selling some amount of their unused bandwidth and CPU power. We could actually monetize all our idle CPUs and unreached bandwidth caps. A more sandboxed solution -- like the aforementioned SETI or Folding@Home, etc -- could be marketed by legitimate businesses. It seems a logical conclusion given our need for always on home (media/status) servers to stream our digital properties to us, and the success of "cloud computing".

    Unfortunately the law is also not on our side: What if a client uses your Cloud@Home 'server' to download and redistribute "illegal" material? (The same as if a bot-net operator directs your machine to do so today.) We need to address the issue of identity (IPaddr != person) if my distributed machine intelligence system is ever to make the Internet self aware... So long as we would pay it enough to solve hard problems it could pay for it's own distributed computing rent.

    With the state of computer security being utterly insecure at nearly every juncture, and our unwillingness to fix the legal risk of us meeting the demand for affordable distributed computing, I think it's only natural that such is done illegally. Do you really want the first global sentient machine intelligence to be a rogue bot-net system? That will surely escalate to (cyber) war. I'd much rather have it be a peaceful, profitable and legal entity. Sadly we'll have the lawyers and lawmakers to blame for bringing about the first man vs machine war.

    I could have posted this to the freedom of speach vs child porn story as well. [slashdot.org]

    • by gagol (583737)
      A virtual machine based distributed platform could easily achieve that!
    • by Entropius (188861)

      Shouldn't DMCA safe harbor provisions kick in? A business run from your living room is still a business, and renting out CPU time on a sandboxed VM ought to count as being an "online service provider".

    • by afgam28 (48611)

      I'm not sure there is any demand for that, to be honest. The supply has already been fulfilled by things like EC2 and GCE.

    • by tqk (413719)

      With the state of computer security being utterly insecure at nearly every juncture, and our unwillingness to fix the legal risk of us meeting the demand for affordable distributed computing, I think it's only natural that such is done illegally.

      Hyperbole much? Sue the pants off Microsoft for selling easily p0wned software, or sue the average computer user for not being knowledgable enough to use it.

      Should they require an Internet driver's licence? No thanks, very much.

      I run (so far) secure FLOSS boxes. Don't blame me for the state of computer security. I don't need any more laws to protect me, as if they could. The vast majority of what's wrong with computer security as it relates to botnets can firmly be placed at Bill Gates and Steve Balmer

  • They should notify all the infected people and also make sure they understand what a firewall is etc. and not totr ust the Mictrosoft one.

    I know many people that just have a windows PC plugged straight into their cable modem (i.e. not even NAT happening) and think its gonna be OK.

    • by Sqr(twg) (2126054)

      They should

      Who's "they"? Are you volonteeering to teach 72 000 people, most of whom don't even know how to use Windows update, what a firewall is?

      • by JustNiz (692889)

        'They' are the government. me? no. The internet has become fundamental to everything including business and commerce, so has become key infrastructure. Therefore the government need to defend it. The best way is to inform people of the basics of security at least. it needs to be a government initiative.

  • According to the BBC article, the initial charges were dropped due to a technicality (i.e. indictiment was filed too late, whatever that means).

    So chances are he knew that he was being watched and slipped up.

    It's interesting that 72,000 boxes were used for one package. Doesn't mean that the machines under his control were "just" those. If someone wants to generate a certain amount volume (e.g. traffic for a DoS, SPAM, etc) probably 72k machines will suffice.

    This is nothing was the Russian-based botnets [h-online.com] o

  • by DavidTC (10147) <slas45dxsvadiv...vadiv@@@neverbox...com> on Monday September 10, 2012 @12:23PM (#41288901) Homepage

    Unauthorized access of a computer is a felony. (Doing that for the purpose of selling someone else access like that is probably an additional felony, it looks roughly like conspiracy to me. But let's ignore that.) That is, every single authorized access is a felony.

    This guy got 30 months for committing 72000 felonies?

    I know jail time doesn't necessarily 'stack', and that unauthorized computer access is one of the lower-class of felonies, and probably supposed to only be a year in jail at most.

    But, still, this is completely absurd. That sentence is 18 minutes per felony.

    Malware and computer hijacking, is basically the legal equivalent of carpeting a football stadium of people with tear gas. If you did that, you'd be charged with tens of thousands of instances of basic assault (A crime which is roughly in the same ballpark, legally, as unauthorized computer access.) and end up in jail almost forever.

    But somehow unauthorized computer access, despite being something that each individual instance is supposed to result in (at least) months in jail, and which does result in months in jail when it's against the wrong person, aka, a big corporation...somehow all that just goes away if you do it against enough people at once via malware.

    If I invented a robot that went around stealing from 72000 stores, they wouldn't just laugh and give me the equivalent of five counts of shoplifting in jail time. If I kill twenty people at once, they don't just laugh and say 'Oh, that was really just one instance, let's sentence him for, oh, two murders, that seems fair.'

    72000 felonies.

    And let's not forget, these have actual victims. Here's a fun question: Would you rather be punched in the face once (Basic assault), or have to reinstall your entire computer? (And, as only 25% of the population has any sort of backup at all, let's pretend you'd lose 75% of your stuff.)

    Yeah, I thought so. There's a reason we actually made the law the way we made it, where those two are within the same order of magnitude as crimes. The courts, OTOH, seem to think that some guy hacking a computer server of a powerful company (Which is one computer and hence one felony.) is much much worse than someone hijacking 72000 human-owned computers.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...