Saturday, November 10, 2007

AcidStorm is a Thief, not a Celebrity

Yesterday, in Los Angeles, a criminal admitted to tampering with a quarter of a million home computers, with the intent of eavesdropping on their communications, stealing their identities, and stealing money from their bank and PayPal accounts.

Yet despite his admission of guilt, and the vast number of people involved, the judge didn't remand this person to prison - the criminal was sent home to watch television and eat ice-cream until his arraignment, several weeks from now.


Folks, we need to stop treating e-criminals like celebrities. Using computers to steal, rather than guns, does not make their motives any different from those of a common thug. It is time to do the public a favor and start putting these guys in the same cage as the people who rob banks using shotguns and getaway vehicles.

Consider again the facts: "AcidStorm", aka John Kenneth Schiefer, a 26 year old Los-Angeles based information security specialist, copped a plea yesterday and admitted creating a bot-net consisting of a quarter of a million computers. He admitted to stealing the identities of thousands of these unsuspecting users. He admitted to accessing PayPal accounts and online bank accounts.

According to published reports, it isn't yet clear how much money was stolen. But what is clear, is that his intent was criminal. This is underlined by events in Schiefer's past, which apparently include defrauding $19,000 from Simpel Internet in Holland, and admonishing an under-age colleague worried about stealing that he should just "quit being a bitch and claim it."


Ask yourself this - if this theft has taken place at a "real bank", rather than via online banking interfaces, and had involved an attempt to steal actual dollar bills from the bank's cash register, would the perpetrator of this crime be out on bail?

Note to judge and Los Angeles Assistant U.S. Attorney Mark C. Krause: please try and forget the fact that this guy used computers to commit this crime. There is no longer anything sexy or interesting about online crime that demands these people be treated differently - their motives are no different than those of a safe-cracker or petty thief, and they place a heck of a lot more people at risk.

You should throw the book at this guy.

Update 1: According to, the malware distributed by Schiefer contained "a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges."

Update 2: Also from - on one occasion, in December 2005, Schiefer moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of "Dynadot".

No comments: