I Was A Teenage Bot Master One day in May 2005, a 16-year-old hacker named SoBe opened his front door to find a swarm of FBI agents descending on his family's three-story house in Boca Raton, Florida. With an arm and leg in casts from a recent motorcycle accident, one agent grabbed his good arm while others seized thousands of dollars worth of computers, …
.. but the problem remains. As I see it, he's guilty of what he did but partial guilt belongs to those who do not take basic steps to secure their machines and/or exercize common sense. I also hold Microsoft (and to a much lesser extent other software companies) responsible for their atrocious attitude to and track record on security.
A basic flaw, for example, with Windows (until Vista at least) is that by default, on home user systems, a user account has full administrative rights with no challenge dialogs generated when they are used. Worse, an awful lot of software, written by Microsoft as well as others, will not even install or in some cases execute, without such privileges.
This guy was not really talented, not especially intelligent, but he learned that it was relatively easy and financially rewarding to use his skills, such as they were, to compromise poorly protected and/or ineptly used machines, for a bare minimum of effort on his part. It also clearly made him feel 'big' and 'clever', plastering over his poor self esteem. In short: The American Dream (tm).
This skiddie isn't the first and he will not be the last, in fact, until Joe Luser takes some responsibility for the security of his machine and exercizes some common sense and moral judgement (how about not downloading that 'free', i.e. stolen, version of your favourite software? The one loaded with trojans.) this problem will be with us, no matter how hard people work on education of users, removal of the payloads, prosecution of the perpetrators and so on.
Boo Hoo!!! Sniveling brat now has to go to jail.
Tough S---!!!!
The judge should add probation conditions to that jail sentence which would put his ass back in jail if he does this again. If you think that I believe that this punk will be reformed; not likely, unless someone in prison makes a "bitch" out of him.
So your argument is that the victim is at least partly responsible, for failing to lock their door / wearing a short miniskirt / whatever? By that standard, you should blame babies for having candy taken off them: it's their own fault for not being older so they could fight back, right?
It makes no difference at all if people are stupid, gullible or dumb. It doesn't give anyone a free pass to treat them like they were inanimate objects, property, slaves. In fact, preying on the weak / defenceless / unarmed is *more* despicable, remember?
If people had secured their computers, this script kiddy would not have been able to get any bots and he would have gotten bored and perhaps used his talents for better things.
I'm not saying it's the victim's fault. But the victims' stupidity is partially to blame. To use your rape victim analogy, these victims didn't just walk down the street with a short skirt. They pranced through gangster- and thug-filled alleys naked, breasts-a-waving, ass-a-shaking, expecting to come out untouched.
First off, Microsoft (et. al) morally and ethically, should share in some amount of responsibility, but legally, they can't be touched, so to a certain extent, I agree with you there.
As for the rest of your analogies, given your lofty expectations of the typical lay computer user, who doubles as a grandma, clueless kid or uninitiated adult, does that make you a qualified pilot, just because you know how to make paper aeroplanes? Or a brain surgeon, just because you know how to cut things?
Regardless of what we computer professionals think or say about how things should be done, the sad fact of the matter is that companies like Microsoft, Oracle or anybody else for all that matters, really don't place security at the very top of their "to-do" list. Their focus is to do the absolute minimum to give the illusion of being secure, sell in mass quantities AND be profitable.
If reality were more towards how computer and infosec professionals wanted, there wouldn't be quite the need for antivirus, anti-malware personal firewalls, or intrusion detection/avoidance devices, that there is.
If people were simply follow a moral and ethical code, in general, people wouldn't be required to lock up their homes, cars or be concerned about walking around scantily clad. But they don't and because of a few assholes like this kid have to ruin the computer experience for the majority of the non-technically inclined. And if you want to get picky about it, the stupid bastard AND his idiot parents put the DoD and who knows how many businesses at risk, because of his greed and lack of ethics.
Due to the sheer magnitude of infection, and exposure of individuals private data to the truly hostile, I think the little putz should be put away for life, without parole.
But hey, it's not up to me, so he's safe for a few years.
Tits-a-jiggling? Most botted folk don't wave a "come bot me" flag and most don't even know they've been botted.
There is a very low-tech solution to this:
Turn yah computer off then you're not using it. Apart from saving power, an off computer can't bot.
Yeah I know there are some torrenting folk etc, but for the most part they are not the people being botted.
ISPs could surely also take some effort to identify botting and warn the botted.
I've heard people say that turning computers off/on breaks them. I don't believe that. I have 7 computers here that get turned on/off once a day (the laptops more often) and in 15 odd years I've never had one break due to powering up\/down.
Mini skirt, prancing, leaving your doors unlocked, passing the blame to Microsoft, blaming the victim in general?
Grow up.
None of that is an excuse for someone. It's as bad as saying "Well, the victim shouldn't have left their house door open while they mowed the lawn, it's their own damn fault that I was able to walk in, steal their TV and Stereo!".
I, for one, hope this little shithead gets ten years in Federal prison.
Personally, I'd like a return to 'justice', Mongolian style. Back in the 13th century, a women could walk, naked and draped in gold chains, from China to Hungary. Anyone touched her, the mongol army would 'discourage' them and make sure that they never, ever, repeated their crime.
Same thing should apply to this kind of idiot, ten years in Federal prison, and a court order to never even touch a computer again, on pain of a life sentence.
Like it or not, 'Joe Luser' on his computer pays the bills. The rest of us whoa re properly educated in being totally and uncompromising paranoid have to live with it.
Actually, a victim can be considered to have supplied provocation or mitigating circumstances, so aye, pretty much.
Where I come from (Scotland) it is a more serious offence to steal from a secured vessel or premises than from one which was not. This is because the law recognizes that when a person takes steps to secure their property (and privacy) those who then commit offences against it have shown a determination to do so not merely stumbled upon it and taken advantage ('opportunity crime'). I think this is directly applicable as an analogy for what happened with these botnets; through ignorance or casual disregard many of the bot hosts failed to secure their machines and were compromised.
It's not fashionable to point this out in the present world of "Teh IntarWeb" and "Web 2.0" but connecting machines to a network is inherently risky unless you control all the machines on that network and/or trust all the users. Connecting your machine to a global network via an 'always on' connection and leaving it powered on for most of the day is quite literally asking for trouble. If you want to do this you need to take some common sense measures, ideally you make sure you are sitting behind a real firewall (software is _not_ a firewall, folks, no matter what MS or MacAfee tell you) with your machine using a non-routable address and that the firewall operates proper port access protocols. This used to require some savvy and a bit of cash but today you can get it for free from an ISP or shell out maybe 40 quid at Tesco.
All that said, you ignored the fact that I clearly said the skiddie's actions were not excused, rather I pointed out how an unremarkable teen can commit these actions easily because of the failings of others, including the user of the compromised machines.
[Penguin because it goes a long way towards stopping this kind of stuff]
Well, ok, he was apparently writing C code... although not well enough to spot a backdoor of the script he was using. But to keep on with his shenanigans when it was obvious he was under investigation? Duh.
Also, if El Reg is going to point up a quote's bad grammar and spelling, perhaps they should learn that "SoBe was also drawn to Ancheta's social flare" probably has nothing to do with something being ignited. I think the word you were looking for is "flair" - "a skill or instinctive ability to appreciate or make good use of something : talent".
Finally for those who are blaming the victims, you know, the administrators who invented SMTP ran open relay servers. In fact, having an open relay mail server was the default configuration for most of the existence of email. It wasn't until little tosspots started up with spamming all and sundry that the more closed nature of email relaying evolved - the criminals came along and spoiled it for everyone. And you're expecting home users to know better than those early email admins? I agree that MS should have better controls in terms of not having the default account be the admin account... but NT was designed before anything like bots existed. Now MS are trying to catch up (badly) with Vista, but it's not the end users who are to blame.
Leaving aside the computer element his is a standard criminal mindset. What he's doing isn't really wrong. He's invincible right up until he gets caught and when he does the stuff immediately becomes 'stupid stuff I did in the past' until the next time the temptation comes up.
That kind of mentality more or less guarantees repeat offending unless jail time knocks some sense into him.
The analogies are wrong - it's not walking down a dark alley naked, it's walking down a well lit alley that just happens to contain thugs and gangsters with a sign pinned to your back saying "attack me".
The attack itself is more like having your pocket picked as usually you don't notice until much later.
I have a big problem with the fact that people get longer jail times for botnets, than they do for rape, violence and murder/manslaughter.
It's ridiculous!
Even here, they weren't exactly destroying all the computers...they were installing some adware.
Completely and utterly ridiculous.
"That's why I love this age, its all computers heh," SoBe wrote in early December 2005, a month after Ancheta's arrest, during an online chat. "All these companys have websites, etc. Its just funny going somewhere like Target, or Sprint then coming home and rooting there servers out of boredom. Makes some people feel like they can do anything." (Misspellings and grammatical errors are his.)
>an awful lot of software, written by Microsoft as well as others, will not even
>install or in some cases execute, without such privileges.
Quick heads up, HP All in One drivers are one set of such software, it's a PITA.
>amanfromMars
I think it's about time the Reg tracked this guy down for an interview..
You're welcome to try, but first you have to find it and then you will be disappointed because when I am not there, typically others are and when noone is home, the house is secured (the windows, along with the doors, are secure not just some plywood sheets or wooden struts). Also, where I live is a relatively busy neighbourhood with plenty of people to notice strangers prowling around or trying to force doors and windows.
So, translating this back into an analogy for the original article topic, if my house were a PC it would be running a secure OS, sitting behind a properly configured router (i.e. firewall) and I as the user would not be doing stupid things like downloading supposed videos of C-list celebrities, pirated copies of expensive software or clicking on URLs sent to me in email by strangers. Oh, how interesting, that's pretty much exactly like my real PCs :¬)
Nice try, no cigar.
My point was that four and a half years is a long time.
I think the real issue on hand is what are you trying to achieve?
- Prevention?
- Punishment?
- Reform in the individual?
- Correct the problem?
I just don't think the real issue is being tackled, sure the kid needs to be stopped from doing it, I just don't think four and a half years behind bars is going to do any long term good for the kid or society.
In addition, I can't see that any real harm was done. Sure, they broke a few laws...and should be stopped and punished...but they didn't kill anyone, cause any mental problems, physically hurt anyone...
I agree with the synical stance of By b, however, much of this newer bot net stuff is seriously advanced pieces of kit that a basic firewall/AV may or may not prevent.
Don't get me wrong here, I think that bot nets are bad evil things...I just question the way its being dealt with.
The strong defend the weak in society otherwise we'd be govern by warlords... (ahem...).
It covers numerous areas, from the inevitable short skirted rape victim, to people who don't know about computer security, car brakes, aircraft wings, house alarms, building regs.
It's not the victims fault that they're a victim.
I agree I emailed el reg before saying they should do a story on him!
Anyway back to the story!
I do find it amusing how most people say “yea he wasn’t smart". How can you come to that conclusion? Have you stood behind his pc and watched him formulate his plans, code applications, etc. infact for that matter could you accomplish what he had? I'm obviously not siding with a botter I just feel some of the comments are stupid! I do agree the sentences for computer crimes are stupid, like really stupid. And you are right people get off on rape charges after a year or two. If you shop lift you might get let off, get a small fine, do community service. If you download a song and get charged you could pay an unlimited fine and probably get sent to jail. It takes the piss
It's good to hear the police are getting involved with the bot herders (although less impressive they only seem to go after the amateurs that advertise and rent servers using their own credit cards). However, 5 years for approx $40,000 of fraud?!
Check out http://www.birminghammail.net/news/worcestershire-news/tm_headline=-54-million-vat-fraud-gang-is-jailed&method=full&objectid=18421584&siteid=50002-name_page.html
40 years jail time between 8 ppl, so an average of 5 years each. I think the obvious lesson from these stories is if you're going to commit fraud, think BIG! I mean, £7mil a piece (approx $14mil) for 5 years "work"? I'd do it. Ok, you'd have to live on a random tropical island for the rest of your life, but damn it'd be a nice life.
I think there is an inexcusable disparity in sentencing here. What's the going rate for getting drunk, going out on your motorbike and killing someone? 2-3 years? It;s ridiculous. The message seems to be if you mess with ppl with money you get screwed, if you have the money or just kill some random poor person we don't care.
----
if you have the money or just kill some random poor person we don't care.
----
We don't... not really. If it's someone people have heard of they're interested - otherwise they just shrug their shoulders and say "and...?" Read the papers, watch the news - Ant and Dec are "fraudulently" given a comedy award at some show or other and it's news, throw in a couple of token murder/rape cases and that's your front page sorted.
When I was a student someone was clubbed to death with a baseball bat a couple of streets over from where I lived (for being gay I believe) - only reported by the gossips in the local pub and a small article in the Echo.
Honestly - people don't really care.
Oh, "above average intelligence" doesn't mean much - average (in the UK) is 100, above average could be 102 - hardly Stephen Hawking. Face it, the kid was just a numpty skiddie who didn't cover his tracks very well... had his botnet been smaller nobody would have cared and we wouldn't be reading this.
PH - I rest my case
No, the lesson learned is that you do not do it in American. Or anything else for that matter, I do feel for Gary McKinnen if he gets extradited. Would have served a year here maybe, but over there 5+ for sure.
These pair were just kids, they shouldn't be doing jail time. Probation, a fine and restricted access to computers is what they should have gotten.
As for all those that are saying they got what they deserved, if everyone in life went to jail for mistakes they made as a kid but did not get caught for then 99.9% of the population would have served time.
Sometimes we make the wrong decisions in life, we are only human.
The victim's aren't in any way responsible for the actions of the perpetrator, whether or not they've used adequate security. But the moment their machine is part of a botnet which launches a DDoS attack or sends some spam out, they become fully responsible. I have no sympathy for somebody who sends me spam or attacks my website, irrespective of whether or not they knew they were doing it.
They had a bot net of 400,000 machines and then they rented a server?
Why not just use the net?
@conan
The victims aren't in anyway responsible for the actions of the perpetrator, whether or not they've checked their own brakes after they were serviced.
But the moment they have a brake failure leading to them crashing into my car they become fully responsible. I have no sympathy for somebody who had faulty brake parts installed without them knowing and with no way of telling short of a few years study of car mechanics and a lengthy inspection of the car before every trip.
Just goes to show - black hats are nothing but common criminals transplanted to another medium. How they ever achieved any kind of fame is beyond me. And kids - do NOT expect to land a job in the security industry after pulling a caper like this. Stealing is stealing, no two ways about it...
"His nonchalance was fueled by a combination of confidence in the superiority of their tactics and a warped belief that their commandeering of hundreds of thousands of PCs was perfectly acceptable, or in any case, no different than the way most online businesses behaved."
Phorm, anyone?
I think the sentences are way too light, i think they should be sentences based on the a more fair scale, it takes a competent professional about 1 hour to clean up each computer infected with shit spewing crapware these people are pushing, so an appropriate sentence would be 1 hour for every computer these fuckwads infected.
400,000 computers = 45.7 years in club fed, with 90% of their $1.15 per hour pay rate going to the victims relief fund...
Some of the posters here are forgetting that this little weasel was pursuing his hobby not out of "juvenile high spirits", but out of greed, pure and simple. The wee turd was making money out his enterprises, which means that someone somewhere was losing out, whether because they had to pay for someone to purge the malware, someone stole their credentials. The funds gained from the various ad companies were the result of fraud.
There is an argument that all of us internet users have lost out as a result of the skiddies use of bandwidth and the resources soaked up, financial or otherwise protecting ourselves and/or others.
I agree that crime against the person no longer seem to carry sufficiently severe punishment, but fail to see how this excuses SoBe's anti social behaviour.
Lock the bugger up.
While reading all of the comments, I noticed people are questioning his intelligence because of some of his actions that got him caught. I would argue there is a big difference between acting based on naiveté and acting based on stupidity. He was a kid, and did things that kids do because they do not have the "common sense", "life experience", "street sense", or "life experience" to know not to do certain things. Unless, of course, you are stupid enough to think you really did have life mastered by the age of 18.
From reading the article, it is obvious his naiveté got him caught, not a lack of intelligence. Too bad he could not have met a better mentor to direct his skill and motivation to something more legal and ultimately profitable.
"Probation, a fine and restricted access to computers is what they should have gotten."
I see, so you advocate that he should have gotten what he was expecting, in which case, by his own claims, he would still be herding bots, spamming the crap out of the system, and forcing service providers to overbuild their systems in order to support bandwidth these cretins were stealing.
No, they got what they deserved, maybe less. And yes, I'm with the stone throwers who want all 1st degree murders shot, and most of murders of lesser degrees too. Manslaughter should get you a minimum of 10 in the Big House. And publicize the hell out of it so everybody else gets the message too. These cretins pull the crap they pull because idiots like you let them get away with it.
Correction - it's idiots like you that are responsible for ruining kids lives. Thankfully most of these idiots are based in America though. Perhaps you should move there and join them :)
The simple fact is: Give a bright teenage kid the tools to do something and they will play.
Ask any kid in the country if they would hack into their next door neighbours computer if they had the chance too and the answer would be yes. It just happens this kid was brighter than your average PC/Internet user and could code.
As I said - restrict his access to computers till he grows up a bit.
at how naïve some of The Reg readers are. Secure your computer against these guys? You've got to be kidding. Short of cutting your Internet cable, there is no real defense against these bastards. Windows is so full of holes it may as well be swiss cheese.
Of course, it is also easy to jump on the "Microsoft sucks" bandwagon, but I think anyone with an ounce of common sense knows that's not the answer either. Anyone who has worked in law enforcement knows and lives one simple rule. "If someone wants in badly enough, there's nothing you can do to prevent him from getting in." The world is a dangerous place. Anyone who's driven in LA knows that. If you expect less from your OS, you're kidding yourself.
I'm glad to see these guys get busted, and I'm even happier to see them pick up a lengthy stay in federal prison. The fewer of these guys we have on the street, the better, but really, there's no one to blame but them. People who own computers aren't all IT experts and the guys who write operating systems are not gods.
The day someone makes a car that never runs out of gas, always drives you automatically to the place you wanted to go, never collides with anything, and you always get lucky in on a date, then I'll come back to Microsoft and demand perfection.
Robin (and Danny): I'm calling bullshit on that one, sunshine. It's perfectly possible to secure a Windows NT5 based home user system, somewhat harder (and inherently more risky) with Win9x (for those keeping count, NT4 is awkward and was never really home user). The first step, if you use an always on connection is to set networking so that you do not run protocols and services you do not need, the next is to use a router firewall and make sure your IP address is in a private non-routable range. These things in themselves will make many, many exploits impossible (old ones but still regularly attempted just in case). I could go on, but suffice to say that whilst slightly 'technical' it's perfectly possible to secure a Windows PC and the average user can easily be led through the steps.
Tom: I'm pretty much with you on this one. I think multiple murderers (whether in a single incident or repeat offence) should be eligible for execution. I do think we'd need suitably good procedures to make sure but in essence, kill them. As for rape, it tends to get seriously over-hyped. It's a horrible crime, but so is _any_ assault of person and dignity and at the end of the day, rape is pretty much equivalent to serious assaults, it is _not_ in and of itself on a par with murder the way some people seem to want it to be. However, lengthy prison sentences, which actually have to be served, would seem to be the way to deal with rapists and thugs (I'm not saying don't try and 'fix' them, too, but they should still spend a long time deprived of the freedom they obviously were not fit to exercize).
AC (who first replied to Tom): 'Kids' ruin their own lives, the punishment is what they get when they commit crimes. Perhaps if word gets around that the cocky arrogant kids committing crimes left, right and centre are now serving long sentences, their younger siblings won't think it's a bright idea to emulate them. Inexperience, stupidity and ignorance are not valid defences before the law. Oh, he wasn't that bright either, as indicated by the way he went about his activities, his arrogance devoid of competence to back it up and even the fact that he was clearly no coder, just able to edit code (he missed a chunk of code implementing a back door, for Eris's sake!).
AC (who replied to Tom second): I don't think he was suggesting excuting Skiddies, although.... ;¬)
JonB: I get the impression you are trying to challenge the suggestion that those whose machines were hijacked are in no way responsible, if I am wrong I apologize, if not - you probably ought to know that if you are the driver and/or owner of a car whose brakes are faulty, you're legally fully liable, regardless of whether they were improperly installed, imperfect products or anything else. You can sue the installer/manufacturer later but you, the driver, are legally liable.
there is a very simple way to tell the intelligence of someone:
if they are in prison they were dumb enough to do something *and* get caught
if they aren't in prison then it means they were smart enough to either 1. not do it, or 2. not get caught
you guys have, sorry had some nice stuff in your coat pockets... i'm off to the pub to shift some goods
First off, none of the below is meant to dilute the blame due to those who actually ran these botnets. I think the sentence is a little long (I'd go for a shorter sentence and larger fines), but anyway...
"So your argument is that the victim is at least partly responsible, for failing to lock their door / wearing a short miniskirt / whatever?"
I think the argument using this analogy is a lock manufacturer would be partly responsible if they sell "locks" that do not actually hold a door shut. Analogously, Microsoft's made it FAR too easy for people to install unauthorized software ont Windows systems.
"at how naïve some of The Reg readers are. Secure your computer against these guys? You've got to be kidding. Short of cutting your Internet cable, there is no real defense against these bastards. Windows is so full of holes it may as well be swiss cheese."
Yes, I secured my machines by getting Windows the fuck off of them. Although, when I ran XP, by ditching Internet Explorer & Outlook (using Firefox and Eudora, set to not use IE rendering engine) and shutting off the crap services it runs by default, I did not have any crap show up on it. (I ran Ad-Aware and AVG and they never showed a thing.)
"Of course, it is also easy to jump on the "Microsoft sucks" bandwagon, but I think anyone with an ounce of common sense knows that's not the answer either. Anyone who has worked in law enforcement knows and lives one simple rule. "If someone wants in badly enough, there's nothing you can do to prevent him from getting in." "
Computer security's not like picking some physical locks though. A stock Ubuntu system, there's 0 network services running. It's simply impossible for some botnet to install onto it, there's nothing to connect to. Network apps... well, firefox doesn't haphazzardly run code the way IE will (for instance firefox doesn't have ActiveX at all; flash and Java are sandboxed; and the whole app is protected so buffer overflows etc. will crash the app rather than running bad code.) The whole interface, gnome, KDE, mail apps, etc. make it difficult enough to save a random executable and run it so noone's going to run an app by accident, run an app thinking it's a JPEG, etc. MUCH harder to install an unwanted app onto.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
