Man Gets 3 Years for Botnet Attack

Vobbo writes "Weeks after NANOG subscribers argued whether or not mitigating botnet command and control systems was a worthwhile endeavor, the LA Times reports that the old fashioned method of arresting and prosecuting criminals still works. Prosecutors successfully prosecuted a 21 year old who had conspired to create botnets that attacked the Department of Defense, a California school district, and a Seattle hospital before being arrested. He plead guilty and was sentenced to 3 years of 'supervised release.'"

Remind me again, why do we need all these new laws

[the_leander]

Because it seems to me, that the new legislation isn't worth spit, what is needed, is more manpower available to track, prosecute and breakup such nets.

Re:Remind me again, why do we need all these new l

[MarkByers]

what is needed, is more manpower available to track, prosecute and breakup such nets.

Perhaps if the police spent less time investigating fraudulent copyright infringement claims [slyck.com] and confiscating a political party's servers [johansvensson.eu] they would have more time to chase real criminals. Or was it only in Sweden that the police ignore the criminals and try to hunt down political activists instead?

Re:

[PopeRatzo]

No, friend, it's not just in Europe. I've driven down streets on the West Side of Chicago, watching police give parking tickets while open-air crack cocaine markets operate in clear view not 100 feet away.

It's not about crime and safety, it's about power and revenue.

A reminder to Americans: there's an election in a few months.

Re:

[kamapuaa]

And good for it, too. The "war on drugs" is a sham, possession of crack is a victimless crime that the police should ignore whenever possible. People parking everywhere is a fucking nuisance.

Re:

[Anonymous Coward]

"The "war on drugs" is a sham, possession of crack is a victimless crime that the police should ignore whenever possible."

Tell that to the multitude that is hooked on it. Tell that to the robbery victim whose house was broken into to pay for the addicts next hit. Tell that to the mother whose son was shot in the crossfire of drug dealer's turf wars. And lastly, tell that to the judge as you are in front of him getting your sentence...

Drugs are not a victimless crime by a far shot.

Re:

[jackbird]

While I agree that drugs are by no means a victimless crime (and crackheads all over your stoop is way more annoying than illegal parking), many of your examples wouldn't exist under drug legalization. If you take out the profit motive, the violence and petty crime largely goes away as well.

Re:

[Rogerborg]

They were probably just ticketing the dealers' Cadillacs. Hit them in the pocket, it's the best way.

Re:

[Yvan256]

They were probably just ticketing the dealers' Cadillacs. Hit them in the pocket, it's the best way.

Yeah, he'll sure feel the pain of paying a 50$ parking ticket.

Re:

[Jeff DeMaagd]

Fraudulent copyright infringement claims? Sweden's worse about upholding the Berne Convention Copyright treaty than China is, so if it's not illegal to participate in the unauthorized redistribution of copyrighted works, then Sweden is in violation of Berne.

War on Free Speech!

[MarkByers]

Sweden is in violation of Berne.

Show me where in law it states that Sweden violating the Berne convention gives the Swedish police the power to imprison an innocent lawyer and confiscate political parties' web servers.

If anyone should be arrested it is the members of the Government who are so clearly abusing their powers to suppress views they disagree with. I don't care whether or not I agree with the views - there is this thing we used to have called the right to Free Speech which is slowly being eroded u

Re:

[Achromatic1978]

and confiscate political parties' web servers

Without going into the rights or wrongs, you make it sound like the political party was innocent collateral damage, when it was these very same servers, under the auspices of a 'political party', that were directly involved in the related police action.

Re:

[tinkerghost]

I suggest you take a closer look at the facts in this situation. The police confiscated all the servers at the ISP. Pirate Bay, Pirate Party, and every other server hosted at the ISP. It was not an attempt to shut down the pirate party, it was a clear instance of attempting to intimidate ISP's into not hosting Pirate Bay. The Pirate Party and the Pirate Bay share several things, but servers is not one of them, nor is one a direct affiliate of the other.

Re:Remind me again, why do we need all these new l

[tomstdenis]

Disabling raw sockets and making people more accountable for their machines may help too.

I don't care if you get exploited. You should know enough to figure out when it has happened [e.g. your modem goes crazy] and do something about it [e.g. turn computer off]. And why ISPs still let people transmit IP packets with forged src addresses I'll never know. Sure it's technically valid [as far as IP datagrams goes] but the only legitimate use is to DoS something.

Oh, and a public flogging wouldn't hurt either.

Tom

Re:

[thePowerOfGrayskull]

Disabling raw sockets... may help too.

Any socket is a raw socket, e.g., just because port 80 is the standard port for http doesn't mean I have to use http over it.

Re:

[tomstdenis]

That's not what a raw socket is...

A raw socket is basically an IP socket where you get to form the IP header and payload however you want. You can then send things like ICMP packets with the incorrect src address. Or you can issue TCP connect requests with the wrong address, etc...

Running httpd on port 81 is still a TCP/IP socket. You'd be sending out a valid src address and the like.

Tom

Re:

[thePowerOfGrayskull]

Fair enough; at what level would you have them disabled? OS? ISP?

Re:

[tomstdenis]

ISP. It's actually a really simple iptables or PF filter. On the gateway that serves [say] 70.8.4.0/24, you just reject all packets where the src address doesn't match.

If you want to get more fancy you could make sure ip associates with the MAC address. But generally if you can track a DDoS participant to an ISP gateway you can narrow it down from there if it's still active [or if you keep stats].

Tom

Re:

[thePowerOfGrayskull]

Any legitimate use for access to sockets at that level?

Re:

[dotgain]

That's a bit misleading. That doesn't disable raw-sockets, it drops packets outgoing that are spoofed.

Re:

[tomstdenis]

which is one of the major problems with DDoS. If I *know* that a packet from 24.68.77.15 is actually from 24.68.77.15 then I can hold them accountable [because ignorance is no defense btw].

Once people take their security seriously [or serious enough to get 15 minutes of training] then we're all set.

I mean in this day and age where everything is done over the net, why do you need training to drive a car but zero to own a high performance desktop with a crazy amount of bandwidth?

I'm not saying we should have

Re:

[dotgain]

I don't disagree with your points, I just got all excited that you seemed to know a why for an ISP to stop customer machines being able to use raw sockets - they can't. Indeed, there doesn't seem to be a valid argument to let spoofed source IPs through.
Ben

Re:Remind me again, why do we need all these new l

[Bert64]

Disabling raw sockets in the OS won't get you anywhere, not so long as users are running with full privileges.
If you disable raw sockets, the backdoors will just start re-enabling them, sending raw ethernet frame instead of raw tcp, or even installing a replacement tcp stack which supports raw sockets properly.

Re:

[tomstdenis]

No, ***ISP***es should disable raw sockets.

E.g. your address is 70.3.44.8, if your IP packets don't have that in the src address then null-route the sucker. Boom, no more anonymous DDoS as the zombies will be trackable and then can be held accountable.

Tom

Re:

[awehttam]

What a novel idea, egress filtering subcriber's connections to the Internet.

Re:

[tomstdenis]

Why not? They already do it. Try inventing your own protocol stacked on 802.3 and get it routed through your ISPs network. Won't happen [or at least shouldn't].

Filtering based on IP src address is not a bad idea given how easy it is to abuse. There are few legitimate reasons you would spoof a src IP anyways.

And before you start jumping up and down about millions of customers, most ISPs have local gateways for a limited subset of customers. I'm in a /24. So there are at most 253 other people in this sub

Re:

[awehttam]

Are you kidding? I've never seen an ISP do this and it'd be a bloody good thing to do.

As for millions of customers, how trivial would it be for SOHO vendors (Linksys/Dlink/Netgear) to implement this sort of thing?

It still wouldn't help the non spoofed DDoS attacks, however. But in this day and age of the Internet, who's to say QoS shouldn't be built in.

Re:

[tomstdenis]

Why is it a bad thing? I'm actually curious to here your thinking.

Tom

Re:

[awehttam]

I don't think it's a bad idea at all, my points were that it isn't happened, and that the soho market vendors could address this issue as well as ISPs. I'm assuming we were in agreement that filtering traffic to only allow src addressed traffic assigned by the ISP from the customer's device would be allowed to be sent onward to the Internet.

Re:

[tomstdenis]

I violently agree with what essentially we are both saying! hahahaha.

Yeah, admitedly it would be ideal to do the PF matching in hardware to reduce latency. Hell, I'd be for just doing it in the modems themselves. Make the damn thing locked and most zombie'ed machines wouldn't be able to work around it.

But that's costly as millions of people have modems already. There are fewer gateways than there are modems so ...

This is just like the spam problem. A simple solution is hashcash but nobody seems to want t

Re:

[MoralHazard]

You aren't talking about what is normally referred to in the literature as "disabling raw sockets". You're talking about enforcing source-based filters on edge routers. Disabling raw sockets usually refers to implementations at the OS level that hide or control access to the API of the lower levels of the network stack.

But this is beside the point, really: The problem is a human one, not a technological one. You can't force enough ISPs to implement source-checking filters to make a dent. You'd have to

Re:More sensationalism

[Anonymous Coward]

"Man Gets 3 Years' Probation for Botnet Attack

"Editors", feel free to cut and paste."

FTA: "A man was sentenced to three years in prison Friday for launching a computer attack that hit tens of thousands of computers, including some belonging to the Department of Defense, a Seattle hospital and a California school district.

Christopher Maxwell, 21, of Vacaville, Calif., was also sentenced to three years of supervised release. "

I would say the 3 years in prison is more significant than the probation afterwards. Perhaps you should be informed before you start criticizing.

Re:

[curebox]

Actually, this is a supervised release deal. He will have to report to his probation officer, submit financial information each month, possibly take random drug tests, and in general stay out of trouble. If he causes mayhem again, they can (but don't have to) impose that 3 year prison sentence.

So assuming that he stays out of trouble, then yes, the sentence is probation.

Re:

[Master of Transhuman]

Meanwhile he can do whatever the hell he wants, as he is likely to see his PO maybe once every three months.

I was in for armed bank robbery and rarely saw my PO. Fill out the form once a month and that's it. If you have no history of drugs, you won't even take drug tests. Oh, yeah, he might have to go to a bottom of the barrel shrink once a week for "therapy" - that's the biggest annoyance.

In essence, he got away with it. Supervised release is an annoyance, nothing more.

I wonder...

[ZeroExistenZ]

... how this new type (spammers, mailflooders, scriptkiddies, 'hackers', scammers, ...) of jail-citizen are welcomed and threated.

I often read these kindof things and wonder wherever punishment isn't tooo hard on cybercrime, if you compare the crimes committed to equal the sentence time. It appears out of proportion to me.

In this case one can argue it's a "conspiracy against the government" or a plot to "attack the US infrastructure". However, I doubt the guy ever planned to start some sortof war with the government, other then showing his discontent or something like that.

It doesn't really matter how I think about this specific case, but it makes me wonder to what computer crime (and the definition thereof) compares to other crimes? I can see the scammers being up there with fraud, no argue. But I'm sure about the others.

Re:I wonder...

[legoburner]

I would imagine that since most people dont understand the full effect of the crimes, that they are more influenced by fictional events and representations. In a trial by a Jury or Judge who is not familiar with the exact scope of the technology, perhaps they err on the side of (what they see as) caution and give stricter penalties in comparison to something that is easily understood like burglary.

Re:I wonder...

[tomstdenis]

That's true in a certain sense, but also keep in mind the govt wants to make examples of these people. They may have only DoS'ed the government, but that's a small step to an extortion ring. Let me know when your company is going bankrupt because you have no net presence and thus no customers. See if you feel so liberal about it then.

That and frankly little script kiddies are not harmless, they're ignorant and there is a difference. The net really depends on the netizens actually playing nice [or at least fair] with one another. When people like this take it upon themselves to affect so many, they deserve an appropriate punishment.

Tom

Re:

[legoburner]

Indeed, I did not mean to sound like I was defending their actions. You state yourself it is only a small step to an extortion ring but that does not mean it should be punished as if it was one unless there is specific evidence they were actually operating one. Good point about ignorance vs harmlessness, but that is where the courts have to decide on the true malicious intent and at the same time is where and why they might be too harsh in some cases.

Re:

[tomstdenis]

Yeah, shoplifting is a minor [in terms of violence] crime but it too is a short step from shoplifting with a knife or a gun. Deviant behaviour has to be curbed before it gets too "routine" for the offender. At the point where they have no moral compunction with DoS'ing for no-profit, they'll make the switch.

Frankly, "intent" aside if you did it you did it. If I rob a store, I may not intend to give the clerk a heart attack, but I did it just the same. Why shouldn't I be help accountable for it?

And again

Re:

[Hoi Polloi]

I disagree with your claim that it is "...it too is a short step from shoplifting with a knife or a gun...At the point where they have no moral compunction with DoS'ing for no-profit, they'll make the switch.". Motives for shoplifting are to profit with the least amount of risk. It is generally not done with a sense of desperation. Armed robbery has different things driving it beyond just profit, such as desperation, contempt, and anger. To say that it is a natural and likely progression is as unrealist

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[penix1]

"Again we don't know what the full effect of these attacks are, it does state he attacked "Seattle's Northwest Hospital" what if this attack caused 1 or more important systems to die. I know many hospitals around here, are computerizing the control of their power distribution, in the building or other internal services such as your records."

This is just silly. Any company that has critical real-time priority systems connected to any computer connect to the Internet deserves the wrongful death suit they get.

Re:

[ScrewMaster]

Perhaps it's time to have a technical court, where people like this kid really can be tried by a jury of their peers. For the most part, I've not been happy with the way the judiciary in the U.S. has been handling technical issues. The truth is, the fear of technology (which equates to fear of the unknown for most people) combined with resentment towards those who can use technology effectively, often results in punishments that far outweigh the crime. In this case, it sounds like the kid got off lightly. I

Re:

[hoshino]

It depends on whether you think crimes should be judged by the intentions (which is often hard to gauge) or the effects (which can usually be factually shown). While cyber criminals often do not have the intention of causing harm to other people the same way a terrorist wants to kill people, the actions of cyber criminals can have the same if not greater effects. If someone released a computer virus that paralyzed a hospital's computer system and caused the deaths of numerous patients due to equipment fai

Re:

[antifoidulus]

Well, in this case it seems the guy isn't going to jail, the summary says "supervised release" and the article doesn't really explain what that is, but I imagine he probably has to wear an ankle bracelet, and will only be allowed to leave the house for employment, and may be restricted in his computer activities. However, he won't be going to "Federal pound me in the ass prison". This seems like a fair sentence. He will have a much harder time getting a good job because of his criminal record, but I gues

Re:

[Xaositecte]

the actual article specifies prison - He also got three years of supervised release.

Re:I wonder...

[Konster]

If anything, punishment for IT related crimes are far behind where they should be. In a lot of ways, the internet is the modern equivalent of the lawless west where there are far too many criminals and far too few deputies and effective laws put into place to deal with criminals.

Same thing in IT right now, lots of easy crimes to commit with few real repurcussions for illegal actions.

Re:

[Aadain2001]

Isn't that more a failure of police/detectives to find and arrest the criminals than a lack of laws? In the Wild West there were plenty of laws against robbery and murder. The problem was there wasn't enough law enforcement officers to actually enforce the laws. Applying the same analogy to the current Internet, we need more intelligent police who can understand and follow up on crimes. Right now, most police don't understand the concept of most computer crimes beyond "hacking" and "stealing". If we ca

Re:I wonder...

[div_2n]

the internet is the modern equivalent of the lawless west where there are . . . far too few . . . effective laws put into place to deal with criminals.

This argument is exactly what causes new cyber laws to be needlessly written. It's pure balderdash. Theft is still theft, extortion is still extortion, etc. Just because the behavior is done over the wire doesn't make it any less or more of a crime. The only part of the law that might be lacking is extradition where someone in country A launches an attack of some sort on someone in Country B.

The only thing the internet does is make crime less risky in terms of immediate repercussions. If you rob a bank in person with a gun, all sorts of things can go wrong. If you do it over the wire, you can have your money and be sitting on the beach of a country with no extradition treaties (see above argument) sipping on a cool drink before the authorities even know your name. Even better than that, you can do it from the beach while sipping on a cool drink.

The internet melts international borders. The law hasn't cought up with that yet. Focus on that and getting better trained law enforcement to deal with cyber crime more quickly. If the law needs to be changed, the only thing I suggest is to make cyber crime default to maximum penalties. You don't need to reinvent the wheel to deal with the same crime that has been around since laws began.

Re:

[cdrguru]

The problem is in some places it is legal to rob banks, if you do it in the right way. There are certainly places where defrauding people of their money is not considered a crime. Places where the age of consent is 12, so photos of nude 13-year-old boys are perfectly appropriate.

So if you are operating from a country where the law allows you to take money from an electronic system because their laws weren't written with electronic banking in mind, who is to stop you? Do you think the victim's country's

Re:

[lysergic.acid]

Is it the same in all cases though? Is copying files from someone's computer the same as robbing their house? Is breaking into someone's computer the same as tresspassing? Just because 2 crimes are similar doesn't mean that they pose the same threat/cause the same amount of harm to society and should be punished to the same extent.

What punishment?

[Secrity]

All this guy got was "supervised release", which is essentially probation. "... offenders placed on supervised release are allowed to remain in the community; they are supervised by officers of the court and are required to observe certain conditions of their release." His sentenece is in line with other people who were convicted of various forms of fraud.

Re:

[tverbeek]

Does "supervised release" mean that he'll have to go back and live with his parents, who'll check on him every hour to make sure he isn't surfing porn, downloading pirated movies, or trying to take down the internet?

Re:

[Secrity]

He is 21 and not a minor. I didn't see that court requires that his parents participate in his supervision as a condition of his release. If his parents allow him to live in their house, the conditions under which he would be allowed to live there would be a decision that his parents would make.

Re:

[penix1]

"Supervised release"=="probation". They are assigned a probation officer to monitor the convicted to ensure they are living up to the conditions of their probation. One infraction of their probation sends them back to complete the full term of their sentence. Depending on the conditions, it can range from home confinement type (where they wear a tracking device and have frequent call-ins) to where they report in to the probation officer once a week or so. It depends on what the court orders. Another thing a

Re:

[Vegeta99]

ONE violation? heh. If you believe THAT you have FAR too much trust in the government's ability to control or deter crime.

Re:

[widget54]

Not harsh enough! He got a slap on the wrist, which in no way is going to deter others from imitating his network antics.

Re:I wonder...

[PeeAitchPee]

I was gonna mod you down, but I'll be constructive and reply instead.

Before anyone screams conspiracy or defends this person, RTFA. This guy and his two buddies made over $100,000 from advertisements displayed by their little botnet. His motivation was simple . . . money, which last time I checked is no different that that of the spammers that almost every single Slashdotter would like to see ruthlessly executed and buried in an unmarked grave somewhere. The fact that he attacked (probably because of the indiscriminate nature of his botnet) public infrastructure is somewhat irrelevant other than it means it's easier for them to nail him to the wall 'cuz he got too lazy to look after all of the domains he was targeting. I think if we started vigorously prosecuting MORE of these people, and punishing them with jail times such as these, (US-based) botnet attacks would dramatically decline (as would spam). GO AFTER THE MONEY.

Re:

[Oligonicella]

So, do you think that attacking a hospital and possibly bringing their system down -- with peoples lives actually in the balance -- is not worthy of jail?

Re:

[hedwards]

It is frontier law. Back 100 years and a bit around here the only punishment for murder or horse stealing was to be hung. Back then it was nearly impossible to keep such individuals locked up and releasing them was even worse.

While we can't realisticly hang crackers for this kind of thing severe punishments with long jail sentences are a practical necessity. Just in terms of money lost on bandwidth alone justifies a heavy handed approach. And that isn't even counting the severe crimes like molestation, rape

Re:

[VENONA]

One thing commonly done with bots is scan for other machines to infect. If the next machine is doing something important, and becomes unresponsive, etc., then that's just too bad. Botherds don't really care who is injured by their actions, so long as they make money. In this case:

"In searching for more computers to infect, the bot software used by the group caused trouble amongst some systems at Northwest Hospital: doors to the operating room failed to open, pagers did not work, and computers in the intensi

100k for Installing Spyware?

[Elvis77]

My teenagers have managed to install spyware on ALL my computers... little did I know that they could earn a living at it...

Tolerance for the crime

[canuck57]

Christopher Maxwell, 21, of Vacaville, Calif., was also sentenced to three years of supervised release.

The amount of crime is inversely proportional for the tolerance of the crime. That is, if the punishment for a crime were to be severe enough there would be little of it. Guess with this kind of sentence we can expect more crime.

Re:

[alexhs]

The amount of crime is inversely proportional for the tolerance of the crime.

<sarcasm> Yeah, that's why with death penalty there's a lower crime rate in the U.S. than in the other industrialized countries </sarcasm>

Re:

[cdrguru]

The relationship of the death penalty in the US having a "deterrent effect" compared with other countries must be compared the same way that gun violence compares in other countries with equal or greater guns per capita.

This doesn't necessarily say that the death penalty offers much in the way of deterrence, but inferring that it has a negative effect because there are fewer death-penalty level crimes in other countries without the death penalty is not a reasonable correlation.

The US has been on slow boil s

Re:

[Paradigma11]

what a cute, plausible sounding theory based on the rational choice model. do you have any emprical evidence to support it?

Re:

[49152]

The amount of crime is inversely proportional for the tolerance of the crime. That is, if the punishment for a crime were to be severe enough there would be little of it.

Ignorant bullshit!

If that was true then there would be virtually no murders in the US due to the death penalty. We all know how that worked out, the US now is one of the last places in the developed world with a death penalty and also the place with the highest murder rate.

Re:

[Rotten168]

But it's a chicken vs. egg problem. The death penalty wasn't relegalized in the US until the mid-1970's. And it was a gradual thing. Was the DP enacted because of crime or did crime occur because of the death penalty?

He deserved it!

[alexhs]

I mean, that guy deserved that sentence, if he had been half clever he would have claimed he did that to collect evidence against pedophiles. And he would've gotten money from the FBI instead !

Now the real fun begins

[JumperCable]

Just wait until he finds out how a Denial of Service attack feels like when it's played out on his @ss. Not to mention viral intrusions.

Re:

[badboy_tw2002]

Given that he's on supervised release, I guess he must have a really horrible home life. I guess jail would have been a better option for this guy.

Re:

[Firefly1]

That statement, sir, is incredible in its reprehensibility. Let me clarify for the potentially confused:
Nothing justifies rape. Ever.

Bad link?

[donovangn]

Is it just me or did this link to a previous story? Here's the link I found:

http://seattletimes.nwsource.com/html/localnews/20 03226994_botnet26m.html [nwsource.com]

3 yrs + 3 yrs probation plus $200K restitution

[JimmytheGeek]

He messed up a lot of people's machines, and he did it for money. I don't have a lot of sympathy, beyond a certain awe at the degree to which he is fucked. His life is pretty much over.

His probation stipulations will probably include not using computers, which when coupled with a felony conviction means he's going to be pretty much fucked in the job market when he gets out. Unless he has a whole bunch of other talents, like, being a Master Chef or something. He is therefore saddled with an unpayable debt. Even if he does pay it off, that's the equivalent of one whole house he won't get to buy. And that has repercussions down the line - who's going to hook up with a jobless loser with insurmountable debt? Added on top of the usual computer geek dating handicap, that's crushing.

He didn't think about the consequences when he attacked 400,000 machines. He probably didn't know he was hitting DoD networks and a hospital. Well, I'm not sure that attacking 400,000 home users wouldn't have still qualified him for this massive pain. Doing evil to a lot of people just because you can and get paid for it merits this kind of response.

A cleanup like he forced is expensive.

Folks - if you are interested and curious about computer security, set up a lab and 0wn the boxen therein to heart's content. Don't fire lots of live ammo indescriminately in densely populated neighborhoods, you dig? You can probably get in on a Capture the Flag haxoring event at a con near you on a nicely isolated network set up for the game. Win a Defcon CTF and I'll have a lot of respect. Being just another botherder does not show any impressive skeelz.

Re:

[Firefly1]

His probation stipulations will probably include not using computers, which when coupled with a felony conviction means he's going to be pretty much fucked in the job market when he gets out. Unless he has a whole bunch of other talents, like, being a Master Chef or something. He is therefore saddled with an unpayable debt.

Congratulations, that set of circumstances pretty much guarantees that restitution will never be delivered, making it pointless (see also: other cases where large sums are demanded of a

As Long as Greed is involved

[IamWhoIam]

There will be no punishment harsh enough to stop some people from trying to gain funds in this way. An excellent example of this is the failed "war on drugs", even though the penalties have gotten harsher the drug trade is still flourishing and billions are being made. Are the purveyors of these drugs knowledgeable of the laws they are breaking and the sentences that will be handed down to them if caught?? Of course they are, but they are still willing to take that risk, simply because of greed. The big d