.. but the problem remains. As I see it, he's guilty of what he did but partial guilt belongs to those who do not take basic steps to secure their machines and/or exercize common sense. I also hold Microsoft (and to a much lesser extent other software companies) responsible for their atrocious attitude to and track record on security.

A basic flaw, for example, with Windows (until Vista at least) is that by default, on home user systems, a user account has full administrative rights with no challenge dialogs generated when they are used. Worse, an awful lot of software, written by Microsoft as well as others, will not even install or in some cases execute, without such privileges.

This guy was not really talented, not especially intelligent, but he learned that it was relatively easy and financially rewarding to use his skills, such as they were, to compromise poorly protected and/or ineptly used machines, for a bare minimum of effort on his part. It also clearly made him feel 'big' and 'clever', plastering over his poor self esteem. In short: The American Dream (tm).

This skiddie isn't the first and he will not be the last, in fact, until Joe Luser takes some responsibility for the security of his machine and exercizes some common sense and moral judgement (how about not downloading that 'free', i.e. stolen, version of your favourite software? The one loaded with trojans.) this problem will be with us, no matter how hard people work on education of users, removal of the payloads, prosecution of the perpetrators and so on.

Boo Hoo!!! Sniveling brat now has to go to jail.

Tough S---!!!!

The judge should add probation conditions to that jail sentence which would put his ass back in jail if he does this again. If you think that I believe that this punk will be reformed; not likely, unless someone in prison makes a "bitch" out of him.

So your argument is that the victim is at least partly responsible, for failing to lock their door / wearing a short miniskirt / whatever? By that standard, you should blame babies for having candy taken off them: it's their own fault for not being older so they could fight back, right?

It makes no difference at all if people are stupid, gullible or dumb. It doesn't give anyone a free pass to treat them like they were inanimate objects, property, slaves. In fact, preying on the weak / defenceless / unarmed is *more* despicable, remember?

It's just like the plot for hackers.

If people had secured their computers, this script kiddy would not have been able to get any bots and he would have gotten bored and perhaps used his talents for better things.

I'm not saying it's the victim's fault. But the victims' stupidity is partially to blame. To use your rape victim analogy, these victims didn't just walk down the street with a short skirt. They pranced through gangster- and thug-filled alleys naked, breasts-a-waving, ass-a-shaking, expecting to come out untouched.

First off, Microsoft (et. al) morally and ethically, should share in some amount of responsibility, but legally, they can't be touched, so to a certain extent, I agree with you there.

As for the rest of your analogies, given your lofty expectations of the typical lay computer user, who doubles as a grandma, clueless kid or uninitiated adult, does that make you a qualified pilot, just because you know how to make paper aeroplanes? Or a brain surgeon, just because you know how to cut things?

Regardless of what we computer professionals think or say about how things should be done, the sad fact of the matter is that companies like Microsoft, Oracle or anybody else for all that matters, really don't place security at the very top of their "to-do" list. Their focus is to do the absolute minimum to give the illusion of being secure, sell in mass quantities AND be profitable.

If reality were more towards how computer and infosec professionals wanted, there wouldn't be quite the need for antivirus, anti-malware personal firewalls, or intrusion detection/avoidance devices, that there is.

If people were simply follow a moral and ethical code, in general, people wouldn't be required to lock up their homes, cars or be concerned about walking around scantily clad. But they don't and because of a few assholes like this kid have to ruin the computer experience for the majority of the non-technically inclined. And if you want to get picky about it, the stupid bastard AND his idiot parents put the DoD and who knows how many businesses at risk, because of his greed and lack of ethics.

Due to the sheer magnitude of infection, and exposure of individuals private data to the truly hostile, I think the little putz should be put away for life, without parole.

But hey, it's not up to me, so he's safe for a few years.

Mini skirt, prancing, leaving your doors unlocked, passing the blame to Microsoft, blaming the victim in general?

Grow up.

None of that is an excuse for someone. It's as bad as saying "Well, the victim shouldn't have left their house door open while they mowed the lawn, it's their own damn fault that I was able to walk in, steal their TV and Stereo!".

I, for one, hope this little shithead gets ten years in Federal prison.

Personally, I'd like a return to 'justice', Mongolian style. Back in the 13th century, a women could walk, naked and draped in gold chains, from China to Hungary. Anyone touched her, the mongol army would 'discourage' them and make sure that they never, ever, repeated their crime.

Same thing should apply to this kind of idiot, ten years in Federal prison, and a court order to never even touch a computer again, on pain of a life sentence.

Like it or not, 'Joe Luser' on his computer pays the bills. The rest of us whoa re properly educated in being totally and uncompromising paranoid have to live with it.

Actually, a victim can be considered to have supplied provocation or mitigating circumstances, so aye, pretty much.

Where I come from (Scotland) it is a more serious offence to steal from a secured vessel or premises than from one which was not. This is because the law recognizes that when a person takes steps to secure their property (and privacy) those who then commit offences against it have shown a determination to do so not merely stumbled upon it and taken advantage ('opportunity crime'). I think this is directly applicable as an analogy for what happened with these botnets; through ignorance or casual disregard many of the bot hosts failed to secure their machines and were compromised.

It's not fashionable to point this out in the present world of "Teh IntarWeb" and "Web 2.0" but connecting machines to a network is inherently risky unless you control all the machines on that network and/or trust all the users. Connecting your machine to a global network via an 'always on' connection and leaving it powered on for most of the day is quite literally asking for trouble. If you want to do this you need to take some common sense measures, ideally you make sure you are sitting behind a real firewall (software is _not_ a firewall, folks, no matter what MS or MacAfee tell you) with your machine using a non-routable address and that the firewall operates proper port access protocols. This used to require some savvy and a bit of cash but today you can get it for free from an ISP or shell out maybe 40 quid at Tesco.

All that said, you ignored the fact that I clearly said the skiddie's actions were not excused, rather I pointed out how an unremarkable teen can commit these actions easily because of the failings of others, including the user of the compromised machines.

[Penguin because it goes a long way towards stopping this kind of stuff]

You must be an American. "He's a minor, therefore we shouldn't give his name." Clear as MUD.

Well, ok, he was apparently writing C code... although not well enough to spot a backdoor of the script he was using. But to keep on with his shenanigans when it was obvious he was under investigation? Duh.

Also, if El Reg is going to point up a quote's bad grammar and spelling, perhaps they should learn that "SoBe was also drawn to Ancheta's social flare" probably has nothing to do with something being ignited. I think the word you were looking for is "flair" - "a skill or instinctive ability to appreciate or make good use of something : talent".

Finally for those who are blaming the victims, you know, the administrators who invented SMTP ran open relay servers. In fact, having an open relay mail server was the default configuration for most of the existence of email. It wasn't until little tosspots started up with spamming all and sundry that the more closed nature of email relaying evolved - the criminals came along and spoiled it for everyone. And you're expecting home users to know better than those early email admins? I agree that MS should have better controls in terms of not having the default account be the admin account... but NT was designed before anything like bots existed. Now MS are trying to catch up (badly) with Vista, but it's not the end users who are to blame.

Stay in school, kiddies

and dont do dru...I mean, Bots.

The analogies are wrong - it's not walking down a dark alley naked, it's walking down a well lit alley that just happens to contain thugs and gangsters with a sign pinned to your back saying "attack me".

The attack itself is more like having your pocket picked as usually you don't notice until much later.

I have a big problem with the fact that people get longer jail times for botnets, than they do for rape, violence and murder/manslaughter.

It's ridiculous!

Even here, they weren't exactly destroying all the computers...they were installing some adware.

Completely and utterly ridiculous.

...and see how good their skilz are when they are trying to control their bonnets with head wands!

Hanging's too good for 'em

> As I see it, he's guilty of what he did but partial guilt belongs to those who do not take basic steps to secure their machines and/or exercize common sense

I'm going to burgle your house. After all you have windows so it's your own fault.

presumably something to do with eradicating fluff

Presumably that's what they had left, after they'd picked the fluff out.

You're welcome to try, but first you have to find it and then you will be disappointed because when I am not there, typically others are and when noone is home, the house is secured (the windows, along with the doors, are secure not just some plywood sheets or wooden struts). Also, where I live is a relatively busy neighbourhood with plenty of people to notice strangers prowling around or trying to force doors and windows.

So, translating this back into an analogy for the original article topic, if my house were a PC it would be running a secure OS, sitting behind a properly configured router (i.e. firewall) and I as the user would not be doing stupid things like downloading supposed videos of C-list celebrities, pirated copies of expensive software or clicking on URLs sent to me in email by strangers. Oh, how interesting, that's pretty much exactly like my real PCs :¬)

Nice try, no cigar.

I agree I emailed el reg before saying they should do a story on him!

Anyway back to the story!

I do find it amusing how most people say “yea he wasn’t smart". How can you come to that conclusion? Have you stood behind his pc and watched him formulate his plans, code applications, etc. infact for that matter could you accomplish what he had? I'm obviously not siding with a botter I just feel some of the comments are stupid! I do agree the sentences for computer crimes are stupid, like really stupid. And you are right people get off on rape charges after a year or two. If you shop lift you might get let off, get a small fine, do community service. If you download a song and get charged you could pay an unlimited fine and probably get sent to jail. It takes the piss

----

if you have the money or just kill some random poor person we don't care.

----

We don't... not really. If it's someone people have heard of they're interested - otherwise they just shrug their shoulders and say "and...?" Read the papers, watch the news - Ant and Dec are "fraudulently" given a comedy award at some show or other and it's news, throw in a couple of token murder/rape cases and that's your front page sorted.

When I was a student someone was clubbed to death with a baseball bat a couple of streets over from where I lived (for being gay I believe) - only reported by the gossips in the local pub and a small article in the Echo.

Honestly - people don't really care.

Oh, "above average intelligence" doesn't mean much - average (in the UK) is 100, above average could be 102 - hardly Stephen Hawking. Face it, the kid was just a numpty skiddie who didn't cover his tracks very well... had his botnet been smaller nobody would have cared and we wouldn't be reading this.

PH - I rest my case

No, the lesson learned is that you do not do it in American. Or anything else for that matter, I do feel for Gary McKinnen if he gets extradited. Would have served a year here maybe, but over there 5+ for sure.

These pair were just kids, they shouldn't be doing jail time. Probation, a fine and restricted access to computers is what they should have gotten.

As for all those that are saying they got what they deserved, if everyone in life went to jail for mistakes they made as a kid but did not get caught for then 99.9% of the population would have served time.

Sometimes we make the wrong decisions in life, we are only human.

Just goes to show - black hats are nothing but common criminals transplanted to another medium. How they ever achieved any kind of fame is beyond me. And kids - do NOT expect to land a job in the security industry after pulling a caper like this. Stealing is stealing, no two ways about it...

I think the sentences are way too light, i think they should be sentences based on the a more fair scale, it takes a competent professional about 1 hour to clean up each computer infected with shit spewing crapware these people are pushing, so an appropriate sentence would be 1 hour for every computer these fuckwads infected.

400,000 computers = 45.7 years in club fed, with 90% of their $1.15 per hour pay rate going to the victims relief fund...

Some of the posters here are forgetting that this little weasel was pursuing his hobby not out of "juvenile high spirits", but out of greed, pure and simple. The wee turd was making money out his enterprises, which means that someone somewhere was losing out, whether because they had to pay for someone to purge the malware, someone stole their credentials. The funds gained from the various ad companies were the result of fraud.

There is an argument that all of us internet users have lost out as a result of the skiddies use of bandwidth and the resources soaked up, financial or otherwise protecting ourselves and/or others.

I agree that crime against the person no longer seem to carry sufficiently severe punishment, but fail to see how this excuses SoBe's anti social behaviour.

Lock the bugger up.

While reading all of the comments, I noticed people are questioning his intelligence because of some of his actions that got him caught. I would argue there is a big difference between acting based on naiveté and acting based on stupidity. He was a kid, and did things that kids do because they do not have the "common sense", "life experience", "street sense", or "life experience" to know not to do certain things. Unless, of course, you are stupid enough to think you really did have life mastered by the age of 18.

From reading the article, it is obvious his naiveté got him caught, not a lack of intelligence. Too bad he could not have met a better mentor to direct his skill and motivation to something more legal and ultimately profitable.

at how naïve some of The Reg readers are. Secure your computer against these guys? You've got to be kidding. Short of cutting your Internet cable, there is no real defense against these bastards. Windows is so full of holes it may as well be swiss cheese.

Of course, it is also easy to jump on the "Microsoft sucks" bandwagon, but I think anyone with an ounce of common sense knows that's not the answer either. Anyone who has worked in law enforcement knows and lives one simple rule. "If someone wants in badly enough, there's nothing you can do to prevent him from getting in." The world is a dangerous place. Anyone who's driven in LA knows that. If you expect less from your OS, you're kidding yourself.

I'm glad to see these guys get busted, and I'm even happier to see them pick up a lengthy stay in federal prison. The fewer of these guys we have on the street, the better, but really, there's no one to blame but them. People who own computers aren't all IT experts and the guys who write operating systems are not gods.

The day someone makes a car that never runs out of gas, always drives you automatically to the place you wanted to go, never collides with anything, and you always get lucky in on a date, then I'll come back to Microsoft and demand perfection.

Robin (and Danny): I'm calling bullshit on that one, sunshine. It's perfectly possible to secure a Windows NT5 based home user system, somewhat harder (and inherently more risky) with Win9x (for those keeping count, NT4 is awkward and was never really home user). The first step, if you use an always on connection is to set networking so that you do not run protocols and services you do not need, the next is to use a router firewall and make sure your IP address is in a private non-routable range. These things in themselves will make many, many exploits impossible (old ones but still regularly attempted just in case). I could go on, but suffice to say that whilst slightly 'technical' it's perfectly possible to secure a Windows PC and the average user can easily be led through the steps.

Tom: I'm pretty much with you on this one. I think multiple murderers (whether in a single incident or repeat offence) should be eligible for execution. I do think we'd need suitably good procedures to make sure but in essence, kill them. As for rape, it tends to get seriously over-hyped. It's a horrible crime, but so is _any_ assault of person and dignity and at the end of the day, rape is pretty much equivalent to serious assaults, it is _not_ in and of itself on a par with murder the way some people seem to want it to be. However, lengthy prison sentences, which actually have to be served, would seem to be the way to deal with rapists and thugs (I'm not saying don't try and 'fix' them, too, but they should still spend a long time deprived of the freedom they obviously were not fit to exercize).

AC (who first replied to Tom): 'Kids' ruin their own lives, the punishment is what they get when they commit crimes. Perhaps if word gets around that the cocky arrogant kids committing crimes left, right and centre are now serving long sentences, their younger siblings won't think it's a bright idea to emulate them. Inexperience, stupidity and ignorance are not valid defences before the law. Oh, he wasn't that bright either, as indicated by the way he went about his activities, his arrogance devoid of competence to back it up and even the fact that he was clearly no coder, just able to edit code (he missed a chunk of code implementing a back door, for Eris's sake!).

AC (who replied to Tom second): I don't think he was suggesting excuting Skiddies, although.... ;¬)

JonB: I get the impression you are trying to challenge the suggestion that those whose machines were hijacked are in no way responsible, if I am wrong I apologize, if not - you probably ought to know that if you are the driver and/or owner of a car whose brakes are faulty, you're legally fully liable, regardless of whether they were improperly installed, imperfect products or anything else. You can sue the installer/manufacturer later but you, the driver, are legally liable.

Thanks for the read, muchos interesting :)

This is totally like the film 'Hackers'