“A Los Angeles security professional has admitted to infecting more than a quarter million computers with malicious software and installing spyware that was used to steal personal data and serve victims with online advertisements.”
From Security Fix (here)
The interesting aspect of the story isn’t a security professional doing malicious things with a computer, certainly isn’t the size of the alleged botnet (~250k), the admission that the accused realized he was on the wrong path and gave it all up to go straight back in 2006, or that some kids were also involved (identified in the complaint only by their online screen names “pr1me” and “dynamic” – notice the cools use of the 1 in place of a i) what is interesting is the use of federal wiretapping laws (here)
“Schiefer is thought to be the first in the United States to be accused of violating federal wiretapping laws by operating a “botnet” — the term for a large grouping of hacked, remotely controlled computers — according to Mark Krause, an assistant U.S. attorney in Los Angeles.”
In February 2006 Christopher Maxwell was indicted for Conspiracy to Intentionally cause Damage to a Protected Computer and Commit Computer Fraud (here) which could have resulted in 10 years in prison and a $250k fine compared to Schiefer who faces 60 years in prison and $1.75 million fine. The penalties against malicious use of computers is becoming more severe as the justice department utilizes new methods to indict and convict the accused. Remember mafiaboy? The 15 year old Canadian hacker that used a DDoS attack to bring down many of the largest online companies (eBay, Yahoo, Amazon, CNN, etc) in February of 2000 and was reported to cause millions of dollars in damage and shake the trust of the internet foundation – well he essentially received a slap on the wrist.
The risk/reward for committing cybercrime is shifting, which will not result in less cybercrime only more sophisticated criminal activity. So more evidence that hostile actors will become more organized, more sophisticated, and much harder to detect with traditional security measures.