Mirai IoT Botnet Co-Authors Plead Guilty

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.

The son of window glass installer

[whitesea]

It's an old attack, with a son breaking windows and father repairing them. However, since they did it on Internet, maybe they can patent it and make the rest of the scum pay the licensing fees?

Re:

[kelemvor4]

It's an old attack, with a son breaking windows and father repairing them. However, since they did it on Internet, maybe they can patent it and make the rest of the scum pay the licensing fees?

A not entirely unreasonable gambit given the state of both patent and copyright law. This time, things didn't pan out - but it has for many many others.

Re:

[chispito]

It's an old attack, with a son breaking windows and father repairing them. However, since they did it on Internet, maybe they can patent it and make the rest of the scum pay the licensing fees?

From reading the Krebs deep-dive a year ago, I think it was a pretty straightforward protection racket:
Identify a private minecraft server host that is using a competitor's anti-DDOS service. DDOS the competitor so they were ineffective and also couldn't respond to service requests, then DDOS the minecraft host itself. Then, offer your own anti-DDOS service to the Minecraft host at the seemingly most opportune time (obviously stopping your DDOS on the server once they sign up).

The Minecraft server operator

'plea bargain'

[Reverend Green]

Yay for state sponsored anal rape! Yay for coerced false confession! Three cheers for the American Gulag!

Not 100% his fault

[slashmydots]

You know, when someone's smart fridge starts popping up messages saying it needs to install Windows 10 platinum version and they need to call the Microsoft support number to help them fix it then maaaaaybe they should have just bought one that makes food cold. Is it really the author's fault completely or is the the fault of consumers buying smart-everything.

Re:

[Baron_Yam]

100% his fault for hacking. No excuses.

You leave your car unlocked and with the keys in the ignition... you're stupid for taking a risk like that, but if it's stolen the car thieve still needs to be skinned alive and hung outside the city limits as a warning to other thieves.

Having said that... I think there's nothing wrong with a tablet-like system on a fridge door. It's a convenient place in a kitchen. I just don't think the fridge should be doing anything other than providing an appropriate mount poin

Re:

[EndlessNameless]

I understand CFAA runs rampant and is abused everywhere

These guys deliberately pushed malicious code onto devices that didn't belong to them. Fuck them, they belong in jail. This is one of the few times where the law did exactly what it needs to do.

at what point does the company who deployed to production a shitty product with a shitty default password assume responsibility?

Negligence and poor craftsmanship are not usually crimes. Like it or not, that's how it is. But they can get you sued.

Unsecured devices with no authentication or widely-known default passwords definitely qualify as negligence. There are security principles that address this situation, and they are older than I am.

They are set for life

[140Mandak262Jamuna]

They will have some plea deal and will be actively recruited by hedge funds, high frequency traders and banks. This level of criminal thinking is a highly sought after in those circles. They will properly trained on how to do it under the protection of these firms with big team of lawyers and lobbyists.

Re: They are set for life

[Brockmire]

So, Uber?

Re: You 74il it

[Brockmire]

Sometimes the bots fuck up.

So shoot them.

[argStyopa]

I'm serious.

1) human lives aren't precious. There are more than 7 billion of us. 7 billion of anything is usually too much. We can spare some, particularly bad ones.

2) let's understand and acknowledge how vital and critical the internet is to today's world. They attacked that infrastructure in a way that is hard to refute.

Let the punishment fit the crime.