back to article I Was A Teenage Bot Master

One day in May 2005, a 16-year-old hacker named SoBe opened his front door to find a swarm of FBI agents descending on his family's three-story house in Boca Raton, Florida. With an arm and leg in casts from a recent motorcycle accident, one agent grabbed his good arm while others seized thousands of dollars worth of computers, …

COMMENTS

This topic is closed for new posts.
  1. John PM Chappell
    Flame

    Another Skiddie bites the dust..

    .. but the problem remains. As I see it, he's guilty of what he did but partial guilt belongs to those who do not take basic steps to secure their machines and/or exercize common sense. I also hold Microsoft (and to a much lesser extent other software companies) responsible for their atrocious attitude to and track record on security.

    A basic flaw, for example, with Windows (until Vista at least) is that by default, on home user systems, a user account has full administrative rights with no challenge dialogs generated when they are used. Worse, an awful lot of software, written by Microsoft as well as others, will not even install or in some cases execute, without such privileges.

    This guy was not really talented, not especially intelligent, but he learned that it was relatively easy and financially rewarding to use his skills, such as they were, to compromise poorly protected and/or ineptly used machines, for a bare minimum of effort on his part. It also clearly made him feel 'big' and 'clever', plastering over his poor self esteem. In short: The American Dream (tm).

    This skiddie isn't the first and he will not be the last, in fact, until Joe Luser takes some responsibility for the security of his machine and exercizes some common sense and moral judgement (how about not downloading that 'free', i.e. stolen, version of your favourite software? The one loaded with trojans.) this problem will be with us, no matter how hard people work on education of users, removal of the payloads, prosecution of the perpetrators and so on.

  2. Fatman
    Stop

    I was a teen age bot master

    Boo Hoo!!! Sniveling brat now has to go to jail.

    Tough S---!!!!

    The judge should add probation conditions to that jail sentence which would put his ass back in jail if he does this again. If you think that I believe that this punk will be reformed; not likely, unless someone in prison makes a "bitch" out of him.

  3. Anonymous Coward
    Stop

    @Another Skiddie bites the dust..

    So your argument is that the victim is at least partly responsible, for failing to lock their door / wearing a short miniskirt / whatever? By that standard, you should blame babies for having candy taken off them: it's their own fault for not being older so they could fight back, right?

    It makes no difference at all if people are stupid, gullible or dumb. It doesn't give anyone a free pass to treat them like they were inanimate objects, property, slaves. In fact, preying on the weak / defenceless / unarmed is *more* despicable, remember?

  4. Anonymous Coward
    Anonymous Coward

    Should've rolled his own software.

    Instead of being a whiny script kiddie and complaining about a secret backdoor.

    I agree with the first poster; the kid's nothing special in the intelligence department. Makes me want to try getting a job with the FBI just to track down these fools.

  5. hurtz rage
    Linux

    Word

    It's just like the plot for hackers.

  6. Steven Swenson
    Stop

    @@Another Skiddie bites the dust..

    If people had secured their computers, this script kiddy would not have been able to get any bots and he would have gotten bored and perhaps used his talents for better things.

    I'm not saying it's the victim's fault. But the victims' stupidity is partially to blame. To use your rape victim analogy, these victims didn't just walk down the street with a short skirt. They pranced through gangster- and thug-filled alleys naked, breasts-a-waving, ass-a-shaking, expecting to come out untouched.

  7. Anonymous Coward
    Thumb Down

    re Steven Swenson

    First off, Microsoft (et. al) morally and ethically, should share in some amount of responsibility, but legally, they can't be touched, so to a certain extent, I agree with you there.

    As for the rest of your analogies, given your lofty expectations of the typical lay computer user, who doubles as a grandma, clueless kid or uninitiated adult, does that make you a qualified pilot, just because you know how to make paper aeroplanes? Or a brain surgeon, just because you know how to cut things?

    Regardless of what we computer professionals think or say about how things should be done, the sad fact of the matter is that companies like Microsoft, Oracle or anybody else for all that matters, really don't place security at the very top of their "to-do" list. Their focus is to do the absolute minimum to give the illusion of being secure, sell in mass quantities AND be profitable.

    If reality were more towards how computer and infosec professionals wanted, there wouldn't be quite the need for antivirus, anti-malware personal firewalls, or intrusion detection/avoidance devices, that there is.

    If people were simply follow a moral and ethical code, in general, people wouldn't be required to lock up their homes, cars or be concerned about walking around scantily clad. But they don't and because of a few assholes like this kid have to ruin the computer experience for the majority of the non-technically inclined. And if you want to get picky about it, the stupid bastard AND his idiot parents put the DoD and who knows how many businesses at risk, because of his greed and lack of ethics.

    Due to the sheer magnitude of infection, and exposure of individuals private data to the truly hostile, I think the little putz should be put away for life, without parole.

    But hey, it's not up to me, so he's safe for a few years.

  8. Charles Manning

    @@@Another Skiddie bites the dust..

    Tits-a-jiggling? Most botted folk don't wave a "come bot me" flag and most don't even know they've been botted.

    There is a very low-tech solution to this:

    Turn yah computer off then you're not using it. Apart from saving power, an off computer can't bot.

    Yeah I know there are some torrenting folk etc, but for the most part they are not the people being botted.

    ISPs could surely also take some effort to identify botting and warn the botted.

    I've heard people say that turning computers off/on breaks them. I don't believe that. I have 7 computers here that get turned on/off once a day (the laptops more often) and in 15 odd years I've never had one break due to powering up\/down.

  9. Mark Bennett
    Thumb Down

    let's get real here.

    Mini skirt, prancing, leaving your doors unlocked, passing the blame to Microsoft, blaming the victim in general?

    Grow up.

    None of that is an excuse for someone. It's as bad as saying "Well, the victim shouldn't have left their house door open while they mowed the lawn, it's their own damn fault that I was able to walk in, steal their TV and Stereo!".

    I, for one, hope this little shithead gets ten years in Federal prison.

    Personally, I'd like a return to 'justice', Mongolian style. Back in the 13th century, a women could walk, naked and draped in gold chains, from China to Hungary. Anyone touched her, the mongol army would 'discourage' them and make sure that they never, ever, repeated their crime.

    Same thing should apply to this kind of idiot, ten years in Federal prison, and a court order to never even touch a computer again, on pain of a life sentence.

    Like it or not, 'Joe Luser' on his computer pays the bills. The rest of us whoa re properly educated in being totally and uncompromising paranoid have to live with it.

  10. John PM Chappell
    Linux

    @ AC

    Actually, a victim can be considered to have supplied provocation or mitigating circumstances, so aye, pretty much.

    Where I come from (Scotland) it is a more serious offence to steal from a secured vessel or premises than from one which was not. This is because the law recognizes that when a person takes steps to secure their property (and privacy) those who then commit offences against it have shown a determination to do so not merely stumbled upon it and taken advantage ('opportunity crime'). I think this is directly applicable as an analogy for what happened with these botnets; through ignorance or casual disregard many of the bot hosts failed to secure their machines and were compromised.

    It's not fashionable to point this out in the present world of "Teh IntarWeb" and "Web 2.0" but connecting machines to a network is inherently risky unless you control all the machines on that network and/or trust all the users. Connecting your machine to a global network via an 'always on' connection and leaving it powered on for most of the day is quite literally asking for trouble. If you want to do this you need to take some common sense measures, ideally you make sure you are sitting behind a real firewall (software is _not_ a firewall, folks, no matter what MS or MacAfee tell you) with your machine using a non-routable address and that the firewall operates proper port access protocols. This used to require some savvy and a bit of cash but today you can get it for free from an ISP or shell out maybe 40 quid at Tesco.

    All that said, you ignored the fact that I clearly said the skiddie's actions were not excused, rather I pointed out how an unremarkable teen can commit these actions easily because of the failings of others, including the user of the compromised machines.

    [Penguin because it goes a long way towards stopping this kind of stuff]

  11. Hate2Register
    Thumb Up

    Clear as MUD..

    You must be an American. "He's a minor, therefore we shouldn't give his name." Clear as MUD.

  12. Anonymous Coward
    Anonymous Coward

    13th century...

    Obviously there was no "printed material" then, and observing a female of the species would have been quite a sight. No touching necessary.

    Slightly different now.

  13. Trix
    Alert

    This moron of "above average intelligence"?

    Well, ok, he was apparently writing C code... although not well enough to spot a backdoor of the script he was using. But to keep on with his shenanigans when it was obvious he was under investigation? Duh.

    Also, if El Reg is going to point up a quote's bad grammar and spelling, perhaps they should learn that "SoBe was also drawn to Ancheta's social flare" probably has nothing to do with something being ignited. I think the word you were looking for is "flair" - "a skill or instinctive ability to appreciate or make good use of something : talent".

    Finally for those who are blaming the victims, you know, the administrators who invented SMTP ran open relay servers. In fact, having an open relay mail server was the default configuration for most of the existence of email. It wasn't until little tosspots started up with spamming all and sundry that the more closed nature of email relaying evolved - the criminals came along and spoiled it for everyone. And you're expecting home users to know better than those early email admins? I agree that MS should have better controls in terms of not having the default account be the admin account... but NT was designed before anything like bots existed. Now MS are trying to catch up (badly) with Vista, but it's not the end users who are to blame.

  14. Anonymous Coward
    Anonymous Coward

    Re: This moron of "above average intelligence"?

    Flare = Flair.

    Slip of the brain, now corrected.

    Drew

    El Reg

  15. Dace
    Alien

    So the message is

    Stay in school, kiddies

    and dont do dru...I mean, Bots.

  16. Bernard

    Standard criminal mindset

    Leaving aside the computer element his is a standard criminal mindset. What he's doing isn't really wrong. He's invincible right up until he gets caught and when he does the stuff immediately becomes 'stupid stuff I did in the past' until the next time the temptation comes up.

    That kind of mentality more or less guarantees repeat offending unless jail time knocks some sense into him.

  17. Andy Taylor
    Boffin

    Incorrect analogies

    The analogies are wrong - it's not walking down a dark alley naked, it's walking down a well lit alley that just happens to contain thugs and gangsters with a sign pinned to your back saying "attack me".

    The attack itself is more like having your pocket picked as usually you don't notice until much later.

  18. Anonymous Coward
    Thumb Down

    Ridiculous

    I have a big problem with the fact that people get longer jail times for botnets, than they do for rape, violence and murder/manslaughter.

    It's ridiculous!

    Even here, they weren't exactly destroying all the computers...they were installing some adware.

    Completely and utterly ridiculous.

  19. 4a$$Monkey
    Pirate

    Chop their fingers off...

    ...and see how good their skilz are when they are trying to control their bonnets with head wands!

    Hanging's too good for 'em

  20. b
    Flame

    With that short skirt she was asking for it

    > As I see it, he's guilty of what he did but partial guilt belongs to those who do not take basic steps to secure their machines and/or exercize common sense

    I'm going to burgle your house. After all you have windows so it's your own fault.

  21. ImaGnuber

    RE: Ridiculous

    I get the impression you think "jail times for botnets" should be lowered?

    Odd. I think sentencing for "rape, violence and murder/manslaughter" should be increased. Same effect relative to a judgement of the harm done.

  22. Anonymous Coward
    Stop

    "China Lake Navel Air Facility"?

    presumably something to do with eradicating fluff

  23. MarmiteToast

    alternatively use "[sic]"

    "That's why I love this age, its all computers heh," SoBe wrote in early December 2005, a month after Ancheta's arrest, during an online chat. "All these companys have websites, etc. Its just funny going somewhere like Target, or Sprint then coming home and rooting there servers out of boredom. Makes some people feel like they can do anything." (Misspellings and grammatical errors are his.)

  24. Anonymous Coward
    Anonymous Coward

    Admin privs...

    >an awful lot of software, written by Microsoft as well as others, will not even

    >install or in some cases execute, without such privileges.

    Quick heads up, HP All in One drivers are one set of such software, it's a PITA.

    >amanfromMars

    I think it's about time the Reg tracked this guy down for an interview..

  25. Jon Green
    Coat

    "China Lake Navel Air Facility"

    Presumably that's what they had left, after they'd picked the fluff out.

  26. John PM Chappell
    Happy

    @ b

    You're welcome to try, but first you have to find it and then you will be disappointed because when I am not there, typically others are and when noone is home, the house is secured (the windows, along with the doors, are secure not just some plywood sheets or wooden struts). Also, where I live is a relatively busy neighbourhood with plenty of people to notice strangers prowling around or trying to force doors and windows.

    So, translating this back into an analogy for the original article topic, if my house were a PC it would be running a secure OS, sitting behind a properly configured router (i.e. firewall) and I as the user would not be doing stupid things like downloading supposed videos of C-list celebrities, pirated copies of expensive software or clicking on URLs sent to me in email by strangers. Oh, how interesting, that's pretty much exactly like my real PCs :¬)

    Nice try, no cigar.

  27. Danny

    RE: ImaGnuber

    My point was that four and a half years is a long time.

    I think the real issue on hand is what are you trying to achieve?

    - Prevention?

    - Punishment?

    - Reform in the individual?

    - Correct the problem?

    I just don't think the real issue is being tackled, sure the kid needs to be stopped from doing it, I just don't think four and a half years behind bars is going to do any long term good for the kid or society.

    In addition, I can't see that any real harm was done. Sure, they broke a few laws...and should be stopped and punished...but they didn't kill anyone, cause any mental problems, physically hurt anyone...

    I agree with the synical stance of By b, however, much of this newer bot net stuff is seriously advanced pieces of kit that a basic firewall/AV may or may not prevent.

    Don't get me wrong here, I think that bot nets are bad evil things...I just question the way its being dealt with.

  28. Anonymous Coward
    Anonymous Coward

    In defence of the weak....

    The strong defend the weak in society otherwise we'd be govern by warlords... (ahem...).

    It covers numerous areas, from the inevitable short skirted rape victim, to people who don't know about computer security, car brakes, aircraft wings, house alarms, building regs.

    It's not the victims fault that they're a victim.

  29. Shinobi87
    Flame

    amanfrommars

    I agree I emailed el reg before saying they should do a story on him!

    Anyway back to the story!

    I do find it amusing how most people say “yea he wasn’t smart". How can you come to that conclusion? Have you stood behind his pc and watched him formulate his plans, code applications, etc. infact for that matter could you accomplish what he had? I'm obviously not siding with a botter I just feel some of the comments are stupid! I do agree the sentences for computer crimes are stupid, like really stupid. And you are right people get off on rape charges after a year or two. If you shop lift you might get let off, get a small fine, do community service. If you download a song and get charged you could pay an unlimited fine and probably get sent to jail. It takes the piss

  30. Ross

    5 years?!

    It's good to hear the police are getting involved with the bot herders (although less impressive they only seem to go after the amateurs that advertise and rent servers using their own credit cards). However, 5 years for approx $40,000 of fraud?!

    Check out http://www.birminghammail.net/news/worcestershire-news/tm_headline=-54-million-vat-fraud-gang-is-jailed&method=full&objectid=18421584&siteid=50002-name_page.html

    40 years jail time between 8 ppl, so an average of 5 years each. I think the obvious lesson from these stories is if you're going to commit fraud, think BIG! I mean, £7mil a piece (approx $14mil) for 5 years "work"? I'd do it. Ok, you'd have to live on a random tropical island for the rest of your life, but damn it'd be a nice life.

    I think there is an inexcusable disparity in sentencing here. What's the going rate for getting drunk, going out on your motorbike and killing someone? 2-3 years? It;s ridiculous. The message seems to be if you mess with ppl with money you get screwed, if you have the money or just kill some random poor person we don't care.

  31. Chris Cheale
    Paris Hilton

    We dont...

    ----

    if you have the money or just kill some random poor person we don't care.

    ----

    We don't... not really. If it's someone people have heard of they're interested - otherwise they just shrug their shoulders and say "and...?" Read the papers, watch the news - Ant and Dec are "fraudulently" given a comedy award at some show or other and it's news, throw in a couple of token murder/rape cases and that's your front page sorted.

    When I was a student someone was clubbed to death with a baseball bat a couple of streets over from where I lived (for being gay I believe) - only reported by the gossips in the local pub and a small article in the Echo.

    Honestly - people don't really care.

    Oh, "above average intelligence" doesn't mean much - average (in the UK) is 100, above average could be 102 - hardly Stephen Hawking. Face it, the kid was just a numpty skiddie who didn't cover his tracks very well... had his botnet been smaller nobody would have cared and we wouldn't be reading this.

    PH - I rest my case

  32. Anonymous Coward
    Alert

    @ross

    No, the lesson learned is that you do not do it in American. Or anything else for that matter, I do feel for Gary McKinnen if he gets extradited. Would have served a year here maybe, but over there 5+ for sure.

    These pair were just kids, they shouldn't be doing jail time. Probation, a fine and restricted access to computers is what they should have gotten.

    As for all those that are saying they got what they deserved, if everyone in life went to jail for mistakes they made as a kid but did not get caught for then 99.9% of the population would have served time.

    Sometimes we make the wrong decisions in life, we are only human.

  33. conan

    Victim's responsibility

    The victim's aren't in any way responsible for the actions of the perpetrator, whether or not they've used adequate security. But the moment their machine is part of a botnet which launches a DDoS attack or sends some spam out, they become fully responsible. I have no sympathy for somebody who sends me spam or attacks my website, irrespective of whether or not they knew they were doing it.

  34. Anonymous Coward
    Anonymous Coward

    Renting servers...

    They had a bot net of 400,000 machines and then they rented a server?

    Why not just use the net?

    @conan

    The victims aren't in anyway responsible for the actions of the perpetrator, whether or not they've checked their own brakes after they were serviced.

    But the moment they have a brake failure leading to them crashing into my car they become fully responsible. I have no sympathy for somebody who had faulty brake parts installed without them knowing and with no way of telling short of a few years study of car mechanics and a lengthy inspection of the car before every trip.

  35. Anonymous Coward
    Thumb Up

    Beautiful

    Just goes to show - black hats are nothing but common criminals transplanted to another medium. How they ever achieved any kind of fame is beyond me. And kids - do NOT expect to land a job in the security industry after pulling a caper like this. Stealing is stealing, no two ways about it...

  36. Johnny FireBlade

    Got this far and had to comment

    "His nonchalance was fueled by a combination of confidence in the superiority of their tactics and a warped belief that their commandeering of hundreds of thousands of PCs was perfectly acceptable, or in any case, no different than the way most online businesses behaved."

    Phorm, anyone?

  37. Anonymous Coward
    Anonymous Coward

    @Chris Cheale

    "Oh, "above average intelligence" doesn't mean much - average (in the UK) is 100, above average could be 102 - hardly Stephen Hawking. "

    Chris,

    The definition of IQ sets 100 as the average for any demographic....

  38. Walter Brown
    Flame

    Sentences are too light!

    I think the sentences are way too light, i think they should be sentences based on the a more fair scale, it takes a competent professional about 1 hour to clean up each computer infected with shit spewing crapware these people are pushing, so an appropriate sentence would be 1 hour for every computer these fuckwads infected.

    400,000 computers = 45.7 years in club fed, with 90% of their $1.15 per hour pay rate going to the victims relief fund...

  39. Anonymous Coward
    Anonymous Coward

    @Walter Brown

    1 hour?

    Surely only a full re-installation of the O/S can guarantee the machine is clean.

    Once one part is compromised, then any part could be compromised.

    You mean 1 hour to get it to a theoretically maybe use it but not for financial transactions I guess?

  40. Andy Enderby
    Thumb Up

    Crime and punishment

    Some of the posters here are forgetting that this little weasel was pursuing his hobby not out of "juvenile high spirits", but out of greed, pure and simple. The wee turd was making money out his enterprises, which means that someone somewhere was losing out, whether because they had to pay for someone to purge the malware, someone stole their credentials. The funds gained from the various ad companies were the result of fraud.

    There is an argument that all of us internet users have lost out as a result of the skiddies use of bandwidth and the resources soaked up, financial or otherwise protecting ourselves and/or others.

    I agree that crime against the person no longer seem to carry sufficiently severe punishment, but fail to see how this excuses SoBe's anti social behaviour.

    Lock the bugger up.

  41. Dennis
    Unhappy

    naive versus stupid

    While reading all of the comments, I noticed people are questioning his intelligence because of some of his actions that got him caught. I would argue there is a big difference between acting based on naiveté and acting based on stupidity. He was a kid, and did things that kids do because they do not have the "common sense", "life experience", "street sense", or "life experience" to know not to do certain things. Unless, of course, you are stupid enough to think you really did have life mastered by the age of 18.

    From reading the article, it is obvious his naiveté got him caught, not a lack of intelligence. Too bad he could not have met a better mentor to direct his skill and motivation to something more legal and ultimately profitable.

  42. Tom

    @AC

    "Probation, a fine and restricted access to computers is what they should have gotten."

    I see, so you advocate that he should have gotten what he was expecting, in which case, by his own claims, he would still be herding bots, spamming the crap out of the system, and forcing service providers to overbuild their systems in order to support bandwidth these cretins were stealing.

    No, they got what they deserved, maybe less. And yes, I'm with the stone throwers who want all 1st degree murders shot, and most of murders of lesser degrees too. Manslaughter should get you a minimum of 10 in the Big House. And publicize the hell out of it so everybody else gets the message too. These cretins pull the crap they pull because idiots like you let them get away with it.

  43. Anonymous Coward
    Anonymous Coward

    @Tom

    Correction - it's idiots like you that are responsible for ruining kids lives. Thankfully most of these idiots are based in America though. Perhaps you should move there and join them :)

    The simple fact is: Give a bright teenage kid the tools to do something and they will play.

    Ask any kid in the country if they would hack into their next door neighbours computer if they had the chance too and the answer would be yes. It just happens this kid was brighter than your average PC/Internet user and could code.

    As I said - restrict his access to computers till he grows up a bit.

  44. Robin
    Gates Halo

    I'm surprised ...

    at how naïve some of The Reg readers are. Secure your computer against these guys? You've got to be kidding. Short of cutting your Internet cable, there is no real defense against these bastards. Windows is so full of holes it may as well be swiss cheese.

    Of course, it is also easy to jump on the "Microsoft sucks" bandwagon, but I think anyone with an ounce of common sense knows that's not the answer either. Anyone who has worked in law enforcement knows and lives one simple rule. "If someone wants in badly enough, there's nothing you can do to prevent him from getting in." The world is a dangerous place. Anyone who's driven in LA knows that. If you expect less from your OS, you're kidding yourself.

    I'm glad to see these guys get busted, and I'm even happier to see them pick up a lengthy stay in federal prison. The fewer of these guys we have on the street, the better, but really, there's no one to blame but them. People who own computers aren't all IT experts and the guys who write operating systems are not gods.

    The day someone makes a car that never runs out of gas, always drives you automatically to the place you wanted to go, never collides with anything, and you always get lucky in on a date, then I'll come back to Microsoft and demand perfection.

  45. Anonymous Coward
    Anonymous Coward

    @Tom

    I agree with your first point regarding that there needs to be sufficient punishment to ensure that the punishments aren't "laughed off"

    But comeon' capital punishment!

  46. John PM Chappell
    Happy

    @ Robin, Tom, AC and others

    Robin (and Danny): I'm calling bullshit on that one, sunshine. It's perfectly possible to secure a Windows NT5 based home user system, somewhat harder (and inherently more risky) with Win9x (for those keeping count, NT4 is awkward and was never really home user). The first step, if you use an always on connection is to set networking so that you do not run protocols and services you do not need, the next is to use a router firewall and make sure your IP address is in a private non-routable range. These things in themselves will make many, many exploits impossible (old ones but still regularly attempted just in case). I could go on, but suffice to say that whilst slightly 'technical' it's perfectly possible to secure a Windows PC and the average user can easily be led through the steps.

    Tom: I'm pretty much with you on this one. I think multiple murderers (whether in a single incident or repeat offence) should be eligible for execution. I do think we'd need suitably good procedures to make sure but in essence, kill them. As for rape, it tends to get seriously over-hyped. It's a horrible crime, but so is _any_ assault of person and dignity and at the end of the day, rape is pretty much equivalent to serious assaults, it is _not_ in and of itself on a par with murder the way some people seem to want it to be. However, lengthy prison sentences, which actually have to be served, would seem to be the way to deal with rapists and thugs (I'm not saying don't try and 'fix' them, too, but they should still spend a long time deprived of the freedom they obviously were not fit to exercize).

    AC (who first replied to Tom): 'Kids' ruin their own lives, the punishment is what they get when they commit crimes. Perhaps if word gets around that the cocky arrogant kids committing crimes left, right and centre are now serving long sentences, their younger siblings won't think it's a bright idea to emulate them. Inexperience, stupidity and ignorance are not valid defences before the law. Oh, he wasn't that bright either, as indicated by the way he went about his activities, his arrogance devoid of competence to back it up and even the fact that he was clearly no coder, just able to edit code (he missed a chunk of code implementing a back door, for Eris's sake!).

    AC (who replied to Tom second): I don't think he was suggesting excuting Skiddies, although.... ;¬)

    JonB: I get the impression you are trying to challenge the suggestion that those whose machines were hijacked are in no way responsible, if I am wrong I apologize, if not - you probably ought to know that if you are the driver and/or owner of a car whose brakes are faulty, you're legally fully liable, regardless of whether they were improperly installed, imperfect products or anything else. You can sue the installer/manufacturer later but you, the driver, are legally liable.

  47. Joel
    Thumb Up

    Cool article

    Thanks for the read, muchos interesting :)

    This is totally like the film 'Hackers'

  48. Anonymous Coward
    Coat

    intelligence

    there is a very simple way to tell the intelligence of someone:

    if they are in prison they were dumb enough to do something *and* get caught

    if they aren't in prison then it means they were smart enough to either 1. not do it, or 2. not get caught

    you guys have, sorry had some nice stuff in your coat pockets... i'm off to the pub to shift some goods

  49. Henry Wertz Gold badge

    Security

    First off, none of the below is meant to dilute the blame due to those who actually ran these botnets. I think the sentence is a little long (I'd go for a shorter sentence and larger fines), but anyway...

    "So your argument is that the victim is at least partly responsible, for failing to lock their door / wearing a short miniskirt / whatever?"

    I think the argument using this analogy is a lock manufacturer would be partly responsible if they sell "locks" that do not actually hold a door shut. Analogously, Microsoft's made it FAR too easy for people to install unauthorized software ont Windows systems.

    "at how naïve some of The Reg readers are. Secure your computer against these guys? You've got to be kidding. Short of cutting your Internet cable, there is no real defense against these bastards. Windows is so full of holes it may as well be swiss cheese."

    Yes, I secured my machines by getting Windows the fuck off of them. Although, when I ran XP, by ditching Internet Explorer & Outlook (using Firefox and Eudora, set to not use IE rendering engine) and shutting off the crap services it runs by default, I did not have any crap show up on it. (I ran Ad-Aware and AVG and they never showed a thing.)

    "Of course, it is also easy to jump on the "Microsoft sucks" bandwagon, but I think anyone with an ounce of common sense knows that's not the answer either. Anyone who has worked in law enforcement knows and lives one simple rule. "If someone wants in badly enough, there's nothing you can do to prevent him from getting in." "

    Computer security's not like picking some physical locks though. A stock Ubuntu system, there's 0 network services running. It's simply impossible for some botnet to install onto it, there's nothing to connect to. Network apps... well, firefox doesn't haphazzardly run code the way IE will (for instance firefox doesn't have ActiveX at all; flash and Java are sandboxed; and the whole app is protected so buffer overflows etc. will crash the app rather than running bad code.) The whole interface, gnome, KDE, mail apps, etc. make it difficult enough to save a random executable and run it so noone's going to run an app by accident, run an app thinking it's a JPEG, etc. MUCH harder to install an unwanted app onto.

  50. greg

    Victim's responsability

    What about insurances ?

    Why do you have to prove effraction to call your burglar's insurance ?

    So many instances in everyday life where you first have to prove you took the common sense precautions before pretending being a victim...

  51. Justin Stone

    RE: That was above average was it?

    Seen todays British youth?

  52. Scott

    The real victims...

    ...are the rest of the internet users who have to deal with complete idiots who are too stupid or just unwilling to perform basic maintenance tasks and get educated in the operation of their computers, wind up getting p0wned, and flood the public network with malware, spam, and other garbage.

    Since car analogies are so popular for some reason, these so-called "victims" are like people who go buy a car, and insist on driving to the store, visit their grandkids, or whatever the case, WITHOUT EVER LEARNING HOW TO DRIVE. Imagine sharing the road with an accident waiting to happen, they never got a driver's license, don't know the rules of the road, and haven't quite figured out the controls. They run stop lights, fail to yield, get in wrecks left and right, and as a result, their cars are shedding battered sheet metal all over the place and posing hazards to everyone else on the road. It doesn't matter that the ne'er-do-wells out on the highway are causing many of the wrecks (let's say they're insurance fraudsters), with a modicum of training in the use of their vehicles, they would be able to avoid such things and motor along safely.

    It really isn't hard to not be p0wned. Prudence when opening attachments is a start. Patching Microsoft operating systems frequently is of utmost important, at least if they go into an endless reboot, they're not ruining the internet for everyone. Not using Microsoft's shoddy products, which simply don't belong on a public network, would be better yet even if that's an unreasonable expectation at this point in time. There is simply NO EXCUSE for failing to prevent malware infestations on one's own computer, or for failing to discover and halt a malware infestation in a timely manner.

    People are not only hurting themselves when they fail to meet minimal competence standards on the public network. They should be fined for negligence and have their computers confiscated. The people who would take advantage of that negligence to foist malware and do damage should be sent somewhere where electricity and running water are goals for the future, and internet access is a fantasy.

  53. MrHappiness

    What do you do with people like that?

    On one hand, something has to be done and the person has to be punished.

    But on the other hand, I just don't think throwing him in prison with a bunch of REAL criminals right thing to do with him. He will more than likely leave prison a bigger criminal than he was when he went in. (and probably have problems going to the bathroom too)

  54. Anonymous Coward
    Anonymous Coward

    @Mark Bennett

    "Back in the 13th century, a women could walk, naked and draped in gold chains, from China to Hungary. Anyone touched her, the mongol army would 'discourage' them and make sure that they never, ever, repeated their crime."

    Sounds like b*llshit to me.

  55. John PM Chappell

    @GameCoder

    "Back in the 13th century, a women [sic] could walk, naked and draped in gold chains, from China to Hungary. [If] Anyone touched her, the Mongol army would 'discourage' them and make sure that they never, ever, repeated their crime." - famously true, mate. A little research will dig it up for you; it's probably even on that great social experiment, Wikipedia, somewhere.

  56. Anonymous Coward
    Anonymous Coward

    @John PM Chappell

    "A little research will dig it up for you; it's probably even on that great social experiment, Wikipedia, somewhere."

    A little research may indeed find evidence of this myth. However proving that throughout the 13th century a woman could walk naked and draped in gold chains from China to Hungary without harassment is a bit more problematic. And thats what I'm suggesting is bullshit. People haven't changed.

    If you could cite details of battles involving the Mongol army caused by harassment of naked gold-chained migratory women along such a trek I'd be most interested. And also how many women made this journey in such a manner during the 13th century, and why?

  57. Anonymous Coward
    Anonymous Coward

    @John PM Chappell

    >I get the impression you are trying to challenge the suggestion that

    >those whose machines were hijacked are in no way responsible,

    No, I'm not it was an ironic response. They aren't responsible.

    >you probably ought to know that if you are the driver and/or

    >owner of a car whose brakes are faulty, you're legally fully liable,

    You are responsible for making sure that the car is safe to drive yes.

    >regardless of whether they were improperly installed, imperfect products or

    >anything else.

    My example was slightly different, if you have taken the car to a properly qualified garage who then fraudulently fits parts that aren't suitable, then they are the negligent ones. The driver can demonstrate that they took all reasonable steps which is all that is required of them. You don't have to be a mechanic to drive a car.

    Some people would have the driving test being 4 years full time and involve a lengthy apprenticeship. If people also think this should be a requirement for using a computer then we're all going to be unemployed soon because hardly anyone will use them.

  58. David Hicks

    @The limp wristed wrist slappers

    To all those saying that the kid should be given probation and computer restrictions - Sorry, this is not youthful highjinx. This was a full on commercial venture involving tens to hundreds of thousands of highjacked PCs, all of them spamming their owners and maybe millions of others with unwanted advertising.

    This is pc rooting on an unprecedented scale. This kid IS a real criminal and has negatively affected the lives of huge numbers of people, not to mention being totally unrepentant about the whole thing.

    Jail time is exactly what is warranted here.

  59. Anonymous Coward
    Anonymous Coward

    @ Davdis Hicks

    "This is pc rooting on an unprecedented scale"

    Rubbish - there are hundreds of kiddies and organised commercial hackers who do the same and have done the same.

    These kids used rbot/rxbot, a publicly available bot which they downloaded and then modified. The code to scan subnets was already built into the bot when they got it, they simply added a few extra exploits to scan for.

    They also downloaded and modified commercial spyware/adware software to download to their bots and make money. Easy as 123....

    It didn't require a great deal of expertise for them to do this, the internet provided the tools and the platform. Provide a bunch of teenagers with 10 bottles of vodka and a % of them will drink the vodka. Same goes for hacking tools.

    We need to educate and monitor our kids when we give them access to these things and not throw them in jail for extended lengths when it is us who have allowed them to abuse what is in front of them.

    I'm not saying let them get off scot free but I am saying that almost 5 years in jail is bloody stupid. I've seen paedophiles get less.... Though maybe not in the USA. At least here in the UK they would have gotten a sentence which reflected their age, naivety etc..

  60. TrishaD

    Sixteen

    I do not consider that a 16 yr old is responsible for his or her actions in the same way that an adult is....

    I do however consider that adults with children have a responsibility to ensure that their children act in a reasonably responsible fashion

    So why is it that middle class mum and dad let their idiot child to contine to play around on the internet months after the police were involved? Or was that just too much trouble.........

  61. David Hicks

    @Anon

    "there are hundreds of kiddies and organised commercial hackers who do the same and have done the same."

    Not on this scale, which is why this kid gets articles in the register.

    "These kids used rbot/rxbot, a publicly available bot which they downloaded and then modified. The code to scan subnets was already built into the bot when they got it, they simply added a few extra exploits to scan for."

    And I can go and buy a publicly available hammer and go on a killing spree, doesn't make me any less responsible,

    "We need to educate and monitor our kids when we give them access to these things and not throw them in jail for extended lengths when it is us who have allowed them to abuse what is in front of them."

    I'm sorry, perhaps you ought to re-read the article. This kid did what he did for several years, despite warnings from the FBI, and laughed about it whilst raking in thousands of dollars.

    "I'm not saying let them get off scot free but I am saying that almost 5 years in jail is bloody stupid."

    1. Why? he knew what he was doing and knew it was illegal and carried on.

    2. He didn't get 5 years, that was his adult accomplice. RTFA.

  62. Matthew Anderson

    @ David Hicks

    Again, Rubbish - There are plenty of documented cases of malware spreading of this scale. I would dig them out but will leave that for you to do. In fact, a much larger scale.. And of course, these are just the ones who get caught. I have seen botnets of 100K+ many times. Rxbot was capable of spreading fast when new exploits were added and could scan for multiple exploits too. The more bots in the net the faster it scans.

    Works like this.

    10 rxbots scanning their own subnets and random IP's

    50 infects in 15 minutes

    IRC chan has topic set to scan so all incoming new infects join chan and read topic and start scanning

    60 bots scanning now

    3000 new infects in 15 minutes.

    All start scanning

    Scan all available ip addresses

    60000 bots within a few hours.

    Add new exploit

    repeat..........

    Its simple and any kid can do it, hundreds do. Your hammer analogy sucks, it's not the same.... Behind the computer screen these kids feel like they are doing no wrong. It's not like going out and kicking someone's head in where you can see the hurt.

    So they have the bots, what next? The obvious step is to load some adware on them and make some fast cash... Where did they get the idea? From news articles and IRC chans where other kids boast about it. Not brain science, takes a few hours to set up and do.

    These are not master criminals, they are stupid kids doing stupid things. Because they can and because it's simple.

    RTFA? I did - one got 5 years and he was 18, 18 in my opinion is not an adult....

    David - I can see you have no mercy or understanding, possibly no kids either. So it's unlikely you will get my point. The point is that these kids are given the means to do these things and as such will do them. A gazillion others would do it too , they just don't have the basic computer skills to do so. We should put them in jail for intent? I have came across hundreds if not thousands of kids in IRC asking hacking related questions. They all want to do it.....

    Having spent 10 years in computer security and dealing with malware I think I know what these kids are like and how simple it is to do what they do or want to do. They are just kids..... Kids do.

  63. b
    Flame

    Mercy and understanding

    If it was down to me he'd have been fed his own fingers.

  64. David Hicks

    @Matthew Anderson

    "Again, Rubbish - There are plenty of documented cases of malware spreading of this scale."

    Please do provide these examples. This one is pretty famous, and not just because he was caught. I doubt very much there are the originally claimed "hundreds" of kiddies and companies that have access to this scale of botnet.

    "Its simple and any kid can do it"

    Much like shoplifting, but by the time you've shoplifted tens of thousands of pounds worth of stuff and been arrested and cautionexcd a couple of times...

    "hundreds do. Your hammer analogy sucks, it's not the same.... Behind the computer screen these kids feel like they are doing no wrong. It's not like going out and kicking someone's head in where you can see the hurt."

    They feel like they are doing no wrong, despite visits from the FBI and their co-conspiratos being jailed for five years. That would have set off alarm bells for me when I was 5, let alone 16. If you see nothing wrong with continuing illegal activity after you've been warned and seen friends go down then you're not an innocent kid in a bad situation, you're a wanton felon.

    If they do this once, get warned and stop, that's one thing. Becoming a nuisance to hundreds of thougsands of individuals despite legal warnings is not acceptable.

    "RTFA? I did - one got 5 years and he was 18, 18 in my opinion is not an adult...."

    It's adult in the eyes of the law. Old enough to be employed, to live on his/her own, sign up for the armed forces, make thousands of dollars through computer crime.

    Ancheta, the older one, got the 5 years. His age at time of arrest is not mentioned, his age in 2005 when he was serving (after arrest in 2004) was 20. Is 20 adult enough for you or should we only criminalise over 25s? Over 30s?

    SoBe was given 18 months when he was 18. You still didn't read very carefully.

    "David - I can see you have no mercy or understanding"

    Don't be ridiculous, I have mercy and understanding in spades, but it runs out.

    Those who repeatedly and knowingly break the law after being warned and raided have proven that mercy and understanding are not working for them. They had a chance, they were given mercy and understanding, yet they continued to abuse other people's computers for money.

    How many chances should they be given when they refuse to change? And how many millions of man hours of frustration and cleanup is warranted before they need to be treated as what they are, criminals?

    The central iussue here is not the size of the botnet, it's that they were given fair warning and carried on.

  65. Matthew Anderson

    Fair warning

    Left with an internet connection is not fair warning...

    "oh, don't take that heroin, but you can keep the baggy and needles"

    Temptation is a fine thing.

    @ You still didn't read very carefully.

    I read fine thanks.

    @ Please do provide these examples

    http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=171204550

    http://www.theregister.co.uk/2007/11/30/kiwi_teen_botmaster_arrest/

    http://www.pcworld.com/article/id,142711/article.html

    http://www.securityfocus.com/brief/290

    But then - I'm sure you know how to use Google. Perhaps not though.

    @ The central iussue here is not the size of the botnet, it's that they were given fair warning and carried on.

    I refer to point one about fair warning.

    The central issue here is that these were kids who had the tools at hands to create damage. Would we let them walk into an army base and play with the guns? No. Would they play with the guns if they had a chance too? Yes.

    Secure the internet, made parents more responsible, hand down applicable punishments. 5 years is too long for a non violent crime committed by a guy who has no real world experience. 18 months is too.

    Simply take their computers away from them and have them attend some kind of mandatory awareness scheme. Problem solved.

    @"<david> Oh, they would just get access to other puters"

    Not from the comfort of their own home though, where they have the time/idleness to do these things.

    @"<david> blah blah blah blah"

    Yes, blah blah blah blah.

    You were a model kid of course, never smoked pot at uni, never stole a road sign, never got drunk with your mates and EVER did anything stupid. Of course, yes.

    And all your friends too, they never did any of that either. Because your uber circle would never ever do anything wrong.

    Right

  66. b
    Flame

    Because your uber circle would never ever do anything wrong.

    Like hacking hundreds of thousands of computers and using fraud to gain $58,000?

    Listen to yourself ffs.

  67. Matthew Anderson

    @ b

    They could do it standing on their heads, with their eyes closed, using point and click. OK not quite, but It was not much harder than that.

    You may be missing the point b....

    Are you missing the point b?

    Are yah?

  68. David Hicks
    Paris Hilton

    @Anon

    "Left with an internet connection is not fair warning..."

    The FBI telling you to stop or face prosecution is fair warning.

    The internet is now part of life and taking it away would be much like taking a phone away. He was warned by agents of the top law agency in his country to stop. I don't know how much more plainly it could have been put.

    @some examples.

    That's five, you said hundreds. Also, from the second one -

    "The ongoing investigative effort has thus far uncovered more than $20m in economic loss"

    Which just goes to confirm how serious a crime this is.

    "Secure the internet,"

    Ha! Good one!

    "made parents more responsible"

    Good luck with that too! And how long are these parents supposed to take responsibility? At 18 the older guy is legally an adult and should know better. Sorry.

    "Simply take their computers away from them and have them attend some kind of mandatory awareness scheme. Problem solved."

    Bullshit.

    Also, that doesn't solve the problem the people that own their hundreds of thousands of bots are going through. No, that's not problem solved at all.

    "You were a model kid of course, never smoked pot at uni, never stole a road sign, never got drunk with your mates and EVER did anything stupid. Of course, yes."

    I never did multiple millions of dollars damage to other people's property, after being told by the authorities that it was illegal and I would face prosecution if I didn't stop, no.

    This is several orders of magnitude different from a a quick spliff or a roadcone.

    Paris because, like her, you seem to have no idea what's going on.

  69. Matthew Anderson

    @ David

    @ @some examples

    Re-read, David Hicks. You are big on telling me to re-read, your turn this time.

    Did I say they had all been caught?

    @ Your previous comment, "This is pc rooting on an unprecedented scale."

    How can it be unprecedented when there are occasions that precede it? Use your noggin. Don't make wild claims, know what you are talking about before

    commenting.

    @ Comparing me to LiL missy Hilton.

    I refer to my above comment, it would rather appear I am the ones who is in the know and you are simply making things up as you go along. I suggest a cold shower and 5 years in the slammer.

    @ Bullshit

    Yes, you would rather just throw people in jail. Got you there. Throwing people in jail is NOT what we as an advanced society should do because we cannot think of alternative solutions. But then, perhaps you are not a part of that society. Back in yer cave please.

    @Also, that doesn't solve the problem the people that own their hundreds of thousands of bots are going through. No, that's not problem solved at all.

    Lost me, what? Speaky English please.

    @ This is several orders of magnitude different from a a quick spliff or a roadcone.

    Missing the point again, must be al ell reg thing. It's about simplicity.

    Yes, David. I await your reply. Try to think clearly this time.

  70. David Hicks

    @Matthew Anderson

    "Yes, you would rather just throw people in jail. Got you there. Throwing people in jail is NOT what we as an advanced society should do because we cannot think of alternative solutions. But then, perhaps you are not a part of that society. Back in yer cave please."

    Straw man argument. I would not rather just throw people in jail, I'd rather give them fair warning, which they had. Taking a computer away and giving them some sort of awareness course would have been a waste of time at this point, buying them more time to do even more damage.

    "Lost me, what? Speaky English please."

    Right. I'll help you with your lack of english comprehension.

    You said to take the machine away and send them on a course, the problem is solved. Let alone the fact that these guys were determined to continue, it's not solved even if they do stop. The hundreds of thousands of people whose machines are infested with spyware and adware because of these two individuals are not magically malware free all of a sudden. The problem is in no way solved.

    "Missing the point again, must be al ell reg thing. It's about simplicity."

    No, no I'm not. Your so called point is laughable. It doesn't matter how simple it is if you've been caught and warned by the FBI and you carry on comitting large scale fraud.

    Stop now, you're embarassing yourself with your continued insistance that this was just a childish mistake. It was serious crime, repeated in the face of warnings of prosecution.

  71. Anonymous Coward
    Anonymous Coward

    @Matt

    @ Missing the point again, must be al ell reg thing. It's about simplicity.

    "Why did you steal the money, lie to the police about your involvement and then take more, right in front of them?"

    "I'm sorry y'rhonour, it was just so simple, those mugs didn't lock the bank"

    "Ah well, never mind, you just go home and be a good boy from now on"

    What a stupid argument.

  72. John PM Chappell
    Happy

    Hmm...

    Matthew Anderson: You're talking out of your arse, mate and it's been pointed out quite a few times. Even 16 is not a child; here in the UK, a first world nation, that is old enough to consent to sexual activity, marry, work full time and without restricted shift lengths, etc, etc. At 18 he is demonstrably an adult and US law agrees wholeheartedly, at least wrt criminal acts. The 'pwnage' scale is significant, easily enough to get him headlines in IT press, as it did. As for the criminal penalties, fraud and criminal damage on a large scale, without remorse and over a long period, warrant custodial sentences; he got quite a light one, all considered.

    JonB: Not quite; tackling the car situation first - aye, negligent fitter, but you remain liable for the state of the car, in terms of working features. You have a case against them but you're not absolved of your own offence. Moral: be vigilant, it's your car and your responsibility. Do I even need to draw the analogy wrt the PCs? ;¬)

  73. Anonymous Coward
    Anonymous Coward

    @David Hicks

    Are you perhaps American? In the UK we have much more lenient attitudes to 'white collar' crimes like fraud. He'd have probably got three years in an open prison in Surrey. It's a bit like the Natwest 3, a crime committed in the UK, by UK citizens, against a UK business. Our lot didn't care, but because the tool (literally) of their embezzlement was Andrew Fastow (Enron CFO), they're doing time in Texas. I'd love to read Jeffrey Archer's Texas Prison Diaries...

    Regardless of that, the guy should get 15 years for being a tool. The guy couldnt even compile ircu. Hacking should be punished, 'hacking' by idiots like this should be harshly punished. Any wannabe teenage bot masters, write this down.

    1) Infect your victims PC silently.

    2) Disable any AV you can find, turn off windows update.

    3) Proactively patch with windows patches - don't lose your bot to someone else.

    4) Write a tech/hardware website. Call it 'thefegister.co.uk'. Write a bunch of meaningless stories you read on other sites. Use lots of flashy keywords.

    5) Add Google AdWords all over your site.

    5) Make your bots silently request your website, in hidden IE instances.

    6) Programmatically click the links, spending some time on the advertisers sites.

    7) Retire, get pissed all day, and post insane comments on your site as 'aManFromPluto'

    8) Bahamas

  74. Matthew Anderson

    @ David Hicks

    @ Let alone the fact that these guys were determined to continue, it's not solved even if they do stop. The hundreds of thousands of people whose machines are infested with spyware and adware because of these two individuals are not magicaly malware free all of a sudden. The problem is in no way solved.

    The machines are malware ridden anyway, take one compromised host that has been compromised by a known exploit and you will find several variants of different strains of malware on it, all controlled by different bot herders and such.

    This doesn't make it right though and at no point did I say they should get away with what they have done, I have simply offered alternatives to hefty jail sentences and opposed the sheer length of them. This was not an organised crime gang, this was kids mucking about, drawn by the thrill.

    @ embarassing yourself

    Yes you are, I am factually correct and have made no statements out with my experience in these matters. You however do not seem to know what the hell you are talking about.

    @your continued insistance that this was just a childish mistake. It was serious crime, repeated in the face of warnings of prosecution.

    And I continue to say that these boys, and that's what they were, cannot be held fully responsible in the light of it being so easy for them to do this, their age, maturity and naivety. Perhaps a jail term was warranted for the 18 year old, perhaps, but not just under 5 years and only because of the monetary gain. In the UK he would have gotten 12 months and been out in 6, perhaps 24 months and out in 12 at the most. But most certainly not a full 54 months to be served in it's entirety, ruining the boys life and taking his best years from him.

    There are many aspect to this, we can look at how hacking has been glamorised in movies and we can look at the Internet as still being in it's infancy. Currently it is too easy for kids to do this and they are drawn to it by the hollywood glamorisation and sci fi books. They start with compromising one host and playing tricks with peoples cd drives and mouse cursors, leading up to attacks on a grander scale and as they get older into late teens they realise they can make a buck from it too.

    It's a lifestyle. They are not taught about computer ethics in school, the Internet is an open doorway and they make good use of it. They are addicted to it, hence why they did not stop, they wake up in the morning and start, working into the wee hours of the next morning, every hour they get they go online and think of more ways to infect people. It's not an easy habit for them to break either, again, hence why they carried on, stupidly, despite knowing the authorities were hot after them.

    As I said, I am not saying they should go unpunished, but the sentences passed down were too severe. They probably need "hacking counselling" to break the habit more than anything else. Instead they will come out of jail with nothing to lose and probably just hide their tracks better next time, at least in the case of the guy that got 5 years.

  75. NS Clerk
    Black Helicopters

    .mil and .gov got them the sentences

    It was only a small mention, but it's clear that the .mil and .gov incursions is what got them the sentences. The US currently calls its military operations in Iraq and Afghanistan "war", so compromising military facilities can be seen as a wartime crime by the government. At least they weren't labeled as "enemy combatants" and deported to the Bush administration's "perfectly legal" facility at gitmo.

    The way that .mil was mentioned does make me wonder. Like when you read about a cop who "just happened" to stop a vehicle for a broken light, which "just happened" to be carrying millions in cocaine/heroine/other. Or maybe the .mil stuff got the federales thinking it was Al-Qaeda or the Belgians trying to steal secrets, and once they discovered it was just a couple of idiots making click money, had to get a big sentence.

    The take-away: if you are going to black-hat, you should follow the other black hats' advice and stay away from .mil and the top-secret nuclear National Laboratories.

  76. chris adkins
    Heart

    Advice for David Hicks, Matthew Anderson, Jon PM Chappell

    really guys - its getting boring, no-one is going to win and nothing is going to change because you have managed to refute the other guys 57 points with your own 57 points.

    Remember: http://www.argaste.com/img/arguing_on_the_internet.jpg

    Heart - cause this comment thread needs some love

  77. Anonymous Coward
    Anonymous Coward

    @John PM Chappell

    >You have a case against them but you're not absolved of your own offence.

    No, you're not because you can demonstrate that you took all reasonable precautions to ensure the car was fit for purpose.

    >Moral: be vigilant, it's your car and your responsibility.

    When you last got your brakes done did you check them? Part numbers? Check the brake fluid for water? Bleed the system? How else would you know there's no air in it?

    You have a responsibility but when it comes down to a criminal act it is they who are responsible.

    >Do I even need to draw the analogy wrt the PCs? ;¬)

    I hope not, that's the point isn't it.

  78. Anonymous Coward
    Happy

    Winning formula

    1 .Botnets

    2. ????

    3. Profit!

  79. Fuion
    Thumb Up

    Afterthought

    " It is certainly not getting well laid by some foxy smart broad, that's for sure. "

    - I would like to add 1 "foxy smart broad" to my christmas wish list...

  80. David Hicks

    @Matthew Anderson

    "This doesn't make it right though and at no point did I say they should get away with what they have done, I have simply offered alternatives to hefty jail sentences and opposed the sheer length of them. This was not an organised crime gang, this was kids mucking about, drawn by the thrill."

    You said they should have their machines taken away and have a course on computer ethics. That's effectively nothing. Especially to someone who said:

    ' "It doesn't matter," SoBe insisted in the days immediately following his arrest. "James can get off, and go back to doing it and in under a month he will be making 3x what he made and be able to cover his tracks much better." '

    That's the voice of someone who knew what they were doing would get them in trouble with police (because it already had), knew what they were doing was wrong (or else they wouldn't care about covering their tracks) and is determined to continue.

    I'm sorry, but this is not kids mucking about for a thrill.

    It's not kids "mucking about" when they're 18/19 and buying sports cars with their tens of thousands of dollars of ill gotten gains.

    You are being deliberately and hopelessly naive, as well as changing your tune on appropriate punishment.

    Is there a failing in the parents? yes. Should they have had more education about ethics? Maybe, but you don't even need education about computers to know that stuffing other people's machines with malware is wrong.

    And as for you being factually correct....

    "They are addicted to it, hence why they did not stop,"

    No, SoBe did stop, then he went back to it. RTFA.

    "The machines are malware ridden anyway"

    So bloody what? It just means there are more of these people to catch.

    "cannot be held fully responsible in the light of it being so easy"

    This is utter nonsense, please stop repeating this crap. It's easy to shoplift, it's easy to mug people, it's easy to deal drugs. That doesn't make these things any less criminal.

    "There are many aspect to this, we can look at how hacking has been glamorised in movies"

    So has committing armed robbery on Las Vegas Casinos. So has murder. It doensn't make it right or excusable.

    "It's a lifestyle."

    So is gang crime and drug dealing.

    "It's not an easy habit for them to break either, again, hence why they carried on, stupidly, despite knowing the authorities were hot after them."

    Which is exactly why they need to be forced to stop and reevaluate their lives, something they proved (and stated) they would never do otherwise.

    If you feel that putting people in prison is bad for them because they'll encounter "real" criminals, then please explain what a "real" criminal is, because it seems to me that 58K in fraud is pretty real.

    As for them being given another chance at life, why yes they should have one. That's up to society to provide afterwards. Unfotunately it takes some time for those who have been deliberately and repeatedly dishonest and exploitative to be trusted.

    They brought the loss of the best years of their lives on themselves. If they hadn't been caught, or hadn't been punished (hacking councilling, what a joke), then they would have continued to use the best years of their lives to make other people's lives miserable.

  81. David Hicks
    Stop

    @Matt

    From another article on the same subject (http://arstechnica.com/news.ars/post/20060124-6041.html):

    "It's immoral, but the money makes it right," Ancheta told SoBe during one online chat, according to the indictment.

    And here (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9062839):

    "Ancheta also confessed to making $107,000 in advertising affiliate payments"

    Yeah, just kids mucking around.

  82. John PM Chappell
    Happy

    Sorry, JonB

    My last comment, on this aspect at least, but you're wrong about liability. If your car has a fault, even if you could reasonably not know, you are liable. Specifically, the driver is always liable for ensuring that a vehicle is safe and legal and is always liable to penalties for any offences committed by driving it in a condition that is not so. It doesn't matter, in terms of liability or whether an offence has been committed, if you were misled, could reasonably assume all was well, etc. If you did not realize that, you do now. This is precisely why I like it so much as an analogy for the compromised PCs; I think similar issues of responsibility and liability should apply, legally.

    @ Chris Adkins: if you don't like them, don't read them. If you don't understand the difference between an exchange of views and discussion of points raised and a useless black vs white 'internet argument' you might want to stay off the Reg comments too ;¬) P.S. Hope you find your shift and caps lock keys soon.

  83. golverd
    Thumb Up

    At least IT personnel.....

    ....make money fixing these crap zombie machines.

    So, good for all! As long as M$ is there, we'll have jobs.

  84. Anonymous Coward
    Anonymous Coward

    @John PM Chappell

    >If your car has a fault, even if you could reasonably not know

    It's not that there is a fault that you don't know about, it's that someone else criminally put the fault there. I assure you that if I sneak round in the dead of night and modify your ABS system so there are no brakes once the car goes over 50 then the crash is not your fault.

  85. Anonymous Coward
    Anonymous Coward

    @John PM Chappell

    Here's an actual case.

    http://www.weitzlaw.com/verdicts/Verdict1-23-98.aspx

    It's a bit icky because most of the defendants settled and the claims weren't fully tested. But the driver of the broken car is scot free, the person she crashed into gets the bulk of the liability claim ( WTF?!? ) and the repairer gets the rest.

  86. John PM Chappell
    Happy

    Crossed wires...

    .. I was assuming we were both talking about the UK :¬)

    In the UK what I stated stands, in the USA it seems it depends how good your lawyers are and how well informed other parties are.

    Assumptions are silly, I know, however I made it clear a few times in other parts of my posts that I am from the UK and was referencing UK laws and mores, so I felt safe in assuming and thought you were from the UK too, actually.

    As for your ABS example, in the UK, I am liable. I have a separate but related claim against you for criminal damage or possibly murder, attempted murder, manslaugher, etc, depending on the actual outcome.

    All that said, IANAL so I might have missed some other subtle implications, though I am certain about immediate liability.

  87. Anonymous Coward
    Anonymous Coward

    @Crossed wires...

    Apologies, I only used that because US cases are much easier to find.

    The UK is the same as the states here, the law is based on negligence, requiring a failure of a duty of care. You only have to demonstrate that you took reasonable precautions.

    It's not a separate claim, there is only one instance, that is with the ABS hypothesis I have modified the car, you have taken all reasonable steps to ensure its safety, I have caused the crash you are just another victim in the crash that I have caused.

    If you have a case in mind, I'd be interested to see it, I can't find anything resembling the example at all.

  88. John PM Chappell

    Hmm, I'm not convinced..

    ..but I'm not going to trawl for precedent either. I think this one's a dead duck either way. What topic shall we do to death next? <grin>

  89. Matthew Anderson

    @ David Hicks

    That's all very well but as I said, you do not appear to know what you are talking about.

    Again, I say they are just kids, drawn into feeling they are protected behind their computer screen. Doing things they would not do if it was face to face.

    I will say it again, I have experienced these kids by the bucket load and I know how they work and think. Not from reading articles but by being amongst them. If you are a mechanic I will believe you when you say my gasket is blown, tell me, other than reading articles on ell rego, what experience do you have in these things?

    Judging by your comments, I am imagining none.

    Even the author displayed some sense of sympathy, this is because he conversed with the younger of the two. This gives the author a reasonable voice where as you are talking from the third party.

  90. John PM Chappell

    @ Matthew Anderson (again)

    They were not 'kids', one was a teenager the other an adult, when sentenced both were adults. Cowardice (hiding behind their screens, doing things they would never do in person) doesn't work as an excuse or a legal defence, either.

    We've all experienced 'these kids' by the bucket-load, what on earth makes you think you're somehow more qualified than the rest of us? Mostly they are fairly average boys (very few girls) with a disturbed personality and an over-inflated ego. They tend to rely on tools made by others but claim all manner of 'mad skills' and typically have a very shaky grasp of even such basics as networking protocols.

    The author mostly did what was required to keep a dialogue going, but in any case, sympathy is not the same as excusing the behaviour.

  91. Elrond Hubbard
    Alien

    covering the traces

    This is a good story for the public but for the underground this guy means nothing. He wasn't more than a skiddie, he didn't code shit, but being stupid is not an excuse in hacking. He deserved to got jailed, I just wonder how was he able to operate so long.

    I did remember to their #bottalk channel and to those loosers from bluehell. I always though that the whole netconnection of that eLEET irc server is tapped and these dumbasses were flaming, flaming and flaming about how much power do they have.

    He obviously wasn't too intelligent otherwise he would have make an own bot and drop his irc protocol based shit whatever RX/SD/AGO etc he used and try to code at least a http+ssl based or p2p bot. That wasn't his work either.

    That he got 400K boxens also hard to believe because the new avs, isp security hardenings, idses etc.. So what I think about him, he bought crypters, source codes, since he got money with his adscams. His behaviour wasn't so different from the spammers.

    But I agree with one thing, he didn't screw his life up with hacking, and playing world of warcraft. I spent almost all my life at the front of the computer, rather going out with friends partying, because I had to live in a scum country so don't fucking talk about American Dream TM. This is a life style and why would it be worst than someone else's life which ends with 10 hours work, alcohol and cigarettes and family problems...

This topic is closed for new posts.

Other stories you might like