Man Gets 3 Years for Botnet Attack 89
Vobbo writes "Weeks after NANOG subscribers argued whether or not mitigating botnet command and control systems was a worthwhile endeavor, the LA Times reports that the old fashioned method of arresting and prosecuting criminals still works. Prosecutors successfully prosecuted a 21 year old who had conspired to create botnets that attacked the Department of Defense, a California school district, and a Seattle hospital before being arrested. He plead guilty and was sentenced to 3 years of 'supervised release.'"
Remind me again, why do we need all these new laws (Score:4, Insightful)
Re:Remind me again, why do we need all these new l (Score:3, Insightful)
Perhaps if the police spent less time investigating fraudulent copyright infringement claims [slyck.com] and confiscating a political party's servers [johansvensson.eu] they would have more time to chase real criminals. Or was it only in Sweden that the police ignore the criminals and try to hunt down political activists instead?
Re: (Score:2, Interesting)
It's not about crime and safety, it's about power and revenue.
A reminder to Americans: there's an election in a few months.
Re: (Score:3, Insightful)
Re: (Score:1, Insightful)
Tell that to the multitude that is hooked on it. Tell that to the robbery victim whose house was broken into to pay for the addicts next hit. Tell that to the mother whose son was shot in the crossfire of drug dealer's turf wars. And lastly, tell that to the judge as you are in front of him getting your sentence...
Drugs are not a victimless crime by a far shot.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Flamebait)
War on Free Speech! (Score:2)
Show me where in law it states that Sweden violating the Berne convention gives the Swedish police the power to imprison an innocent lawyer and confiscate political parties' web servers.
If anyone should be arrested it is the members of the Government who are so clearly abusing their powers to suppress views they disagree with. I don't care whether or not I agree with the views - there is this thing we used to have called the right to Free Speech which is slowly being eroded u
Re: (Score:2)
Without going into the rights or wrongs, you make it sound like the political party was innocent collateral damage, when it was these very same servers, under the auspices of a 'political party', that were directly involved in the related police action.
Re: (Score:3, Interesting)
Re:Remind me again, why do we need all these new l (Score:4, Insightful)
I don't care if you get exploited. You should know enough to figure out when it has happened [e.g. your modem goes crazy] and do something about it [e.g. turn computer off]. And why ISPs still let people transmit IP packets with forged src addresses I'll never know. Sure it's technically valid [as far as IP datagrams goes] but the only legitimate use is to DoS something.
Oh, and a public flogging wouldn't hurt either.
Tom
Re: (Score:2)
Disabling raw sockets... may help too.
Any socket is a raw socket, e.g., just because port 80 is the standard port for http doesn't mean I have to use http over it.
Re: (Score:3, Informative)
A raw socket is basically an IP socket where you get to form the IP header and payload however you want. You can then send things like ICMP packets with the incorrect src address. Or you can issue TCP connect requests with the wrong address, etc...
Running httpd on port 81 is still a TCP/IP socket. You'd be sending out a valid src address and the like.
Tom
Re: (Score:2)
Re: (Score:3, Informative)
If you want to get more fancy you could make sure ip associates with the MAC address. But generally if you can track a DDoS participant to an ISP gateway you can narrow it down from there if it's still active [or if you keep stats].
Tom
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Once people take their security seriously [or serious enough to get 15 minutes of training] then we're all set.
I mean in this day and age where everything is done over the net, why do you need training to drive a car but zero to own a high performance desktop with a crazy amount of bandwidth?
I'm not saying we should have
Re: (Score:1)
Ben
Re:Remind me again, why do we need all these new l (Score:5, Informative)
If you disable raw sockets, the backdoors will just start re-enabling them, sending raw ethernet frame instead of raw tcp, or even installing a replacement tcp stack which supports raw sockets properly.
Re: (Score:3, Informative)
E.g. your address is 70.3.44.8, if your IP packets don't have that in the src address then null-route the sucker. Boom, no more anonymous DDoS as the zombies will be trackable and then can be held accountable.
Tom
Re: (Score:1)
Re: (Score:2)
Filtering based on IP src address is not a bad idea given how easy it is to abuse. There are few legitimate reasons you would spoof a src IP anyways.
And before you start jumping up and down about millions of customers, most ISPs have local gateways for a limited subset of customers. I'm in a
Re: (Score:1)
As for millions of customers, how trivial would it be for SOHO vendors (Linksys/Dlink/Netgear) to implement this sort of thing?
It still wouldn't help the non spoofed DDoS attacks, however. But in this day and age of the Internet, who's to say QoS shouldn't be built in.
Re: (Score:2)
Tom
Re: (Score:1)
Re: (Score:3, Insightful)
Yeah, admitedly it would be ideal to do the PF matching in hardware to reduce latency. Hell, I'd be for just doing it in the modems themselves. Make the damn thing locked and most zombie'ed machines wouldn't be able to work around it.
But that's costly as millions of people have modems already. There are fewer gateways than there are modems so
This is just like the spam problem. A simple solution is hashcash but nobody seems to want t
Re: (Score:2)
But this is beside the point, really: The problem is a human one, not a technological one. You can't force enough ISPs to implement source-checking filters to make a dent. You'd have to
Re:More sensationalism (Score:4, Informative)
"Editors", feel free to cut and paste."
FTA: "A man was sentenced to three years in prison Friday for launching a computer attack that hit tens of thousands of computers, including some belonging to the Department of Defense, a Seattle hospital and a California school district.
Christopher Maxwell, 21, of Vacaville, Calif., was also sentenced to three years of supervised release. "
I would say the 3 years in prison is more significant than the probation afterwards. Perhaps you should be informed before you start criticizing.
Re: (Score:2, Informative)
So assuming that he stays out of trouble, then yes, the sentence is probation.
Re: (Score:3, Informative)
Meanwhile he can do whatever the hell he wants, as he is likely to see his PO maybe once every three months.
I was in for armed bank robbery and rarely saw my PO. Fill out the form once a month and that's it. If you have no history of drugs, you won't even take drug tests. Oh, yeah, he might have to go to a bottom of the barrel shrink once a week for "therapy" - that's the biggest annoyance.
In essence, he got away with it. Supervised release is an annoyance, nothing more.
I wonder... (Score:4, Insightful)
... how this new type (spammers, mailflooders, scriptkiddies, 'hackers', scammers, ...) of jail-citizen are welcomed and threated.
I often read these kindof things and wonder wherever punishment isn't tooo hard on cybercrime, if you compare the crimes committed to equal the sentence time. It appears out of proportion to me.
In this case one can argue it's a "conspiracy against the government" or a plot to "attack the US infrastructure". However, I doubt the guy ever planned to start some sortof war with the government, other then showing his discontent or something like that.
It doesn't really matter how I think about this specific case, but it makes me wonder to what computer crime (and the definition thereof) compares to other crimes? I can see the scammers being up there with fraud, no argue. But I'm sure about the others.
Re:I wonder... (Score:5, Interesting)
Re:I wonder... (Score:5, Insightful)
That and frankly little script kiddies are not harmless, they're ignorant and there is a difference. The net really depends on the netizens actually playing nice [or at least fair] with one another. When people like this take it upon themselves to affect so many, they deserve an appropriate punishment.
Tom
Re: (Score:2)
Re: (Score:2)
Frankly, "intent" aside if you did it you did it. If I rob a store, I may not intend to give the clerk a heart attack, but I did it just the same. Why shouldn't I be help accountable for it?
And again
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
This is just silly. Any company that has critical real-time priority systems connected to any computer connect to the Internet deserves the wrongful death suit they get.
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:1)
Re:I wonder... (Score:5, Insightful)
Same thing in IT right now, lots of easy crimes to commit with few real repurcussions for illegal actions.
Re: (Score:3)
Re:I wonder... (Score:4, Insightful)
This argument is exactly what causes new cyber laws to be needlessly written. It's pure balderdash. Theft is still theft, extortion is still extortion, etc. Just because the behavior is done over the wire doesn't make it any less or more of a crime. The only part of the law that might be lacking is extradition where someone in country A launches an attack of some sort on someone in Country B.
The only thing the internet does is make crime less risky in terms of immediate repercussions. If you rob a bank in person with a gun, all sorts of things can go wrong. If you do it over the wire, you can have your money and be sitting on the beach of a country with no extradition treaties (see above argument) sipping on a cool drink before the authorities even know your name. Even better than that, you can do it from the beach while sipping on a cool drink.
The internet melts international borders. The law hasn't cought up with that yet. Focus on that and getting better trained law enforcement to deal with cyber crime more quickly. If the law needs to be changed, the only thing I suggest is to make cyber crime default to maximum penalties. You don't need to reinvent the wheel to deal with the same crime that has been around since laws began.
Re: (Score:2)
So if you are operating from a country where the law allows you to take money from an electronic system because their laws weren't written with electronic banking in mind, who is to stop you? Do you think the victim's country's
Re: (Score:2)
What punishment? (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2, Insightful)
Re:I wonder... (Score:5, Insightful)
I was gonna mod you down, but I'll be constructive and reply instead.
Before anyone screams conspiracy or defends this person, RTFA. This guy and his two buddies made over $100,000 from advertisements displayed by their little botnet. His motivation was simple . . . money, which last time I checked is no different that that of the spammers that almost every single Slashdotter would like to see ruthlessly executed and buried in an unmarked grave somewhere. The fact that he attacked (probably because of the indiscriminate nature of his botnet) public infrastructure is somewhat irrelevant other than it means it's easier for them to nail him to the wall 'cuz he got too lazy to look after all of the domains he was targeting. I think if we started vigorously prosecuting MORE of these people, and punishing them with jail times such as these, (US-based) botnet attacks would dramatically decline (as would spam). GO AFTER THE MONEY.
Re: (Score:2)
Re: (Score:1)
While we can't realisticly hang crackers for this kind of thing severe punishments with long jail sentences are a practical necessity. Just in terms of money lost on bandwidth alone justifies a heavy handed approach. And that isn't even counting the severe crimes like molestation, rape
Re: (Score:2)
"In searching for more computers to infect, the bot software used by the group caused trouble amongst some systems at Northwest Hospital: doors to the operating room failed to open, pagers did not work, and computers in the intensi
100k for Installing Spyware? (Score:5, Funny)
Tolerance for the crime (Score:2)
Christopher Maxwell, 21, of Vacaville, Calif., was also sentenced to three years of supervised release.
The amount of crime is inversely proportional for the tolerance of the crime. That is, if the punishment for a crime were to be severe enough there would be little of it. Guess with this kind of sentence we can expect more crime.
Re: (Score:2)
<sarcasm> Yeah, that's why with death penalty there's a lower crime rate in the U.S. than in the other industrialized countries </sarcasm>
Re: (Score:2)
This doesn't necessarily say that the death penalty offers much in the way of deterrence, but inferring that it has a negative effect because there are fewer death-penalty level crimes in other countries without the death penalty is not a reasonable correlation.
The US has been on slow boil s
Re: (Score:1)
Re: (Score:1)
Ignorant bullshit!
If that was true then there would be virtually no murders in the US due to the death penalty. We all know how that worked out, the US now is one of the last places in the developed world with a death penalty and also the place with the highest murder rate.
Re: (Score:2)
He deserved it! (Score:3, Insightful)
Now the real fun begins (Score:2)
Re: (Score:2)
Re: (Score:1)
Nothing justifies rape. Ever.
Bad link? (Score:1)
Is it just me or did this link to a previous story? Here's the link I found:
http://seattletimes.nwsource.com/html/localnews/20 03226994_botnet26m.html [nwsource.com]
3 yrs + 3 yrs probation plus $200K restitution (Score:3, Interesting)
His probation stipulations will probably include not using computers, which when coupled with a felony conviction means he's going to be pretty much fucked in the job market when he gets out. Unless he has a whole bunch of other talents, like, being a Master Chef or something. He is therefore saddled with an unpayable debt. Even if he does pay it off, that's the equivalent of one whole house he won't get to buy. And that has repercussions down the line - who's going to hook up with a jobless loser with insurmountable debt? Added on top of the usual computer geek dating handicap, that's crushing.
He didn't think about the consequences when he attacked 400,000 machines. He probably didn't know he was hitting DoD networks and a hospital. Well, I'm not sure that attacking 400,000 home users wouldn't have still qualified him for this massive pain. Doing evil to a lot of people just because you can and get paid for it merits this kind of response.
A cleanup like he forced is expensive.
Folks - if you are interested and curious about computer security, set up a lab and 0wn the boxen therein to heart's content. Don't fire lots of live ammo indescriminately in densely populated neighborhoods, you dig? You can probably get in on a Capture the Flag haxoring event at a con near you on a nicely isolated network set up for the game. Win a Defcon CTF and I'll have a lot of respect. Being just another botherder does not show any impressive skeelz.
Re: (Score:1)
Congratulations, that set of circumstances pretty much guarantees that restitution will never be delivered, making it pointless (see also: other cases where large sums are demanded of a
As Long as Greed is involved (Score:1)