{"id":584,"date":"2009-01-30T16:55:23","date_gmt":"2009-01-31T00:55:23","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=584"},"modified":"2009-01-30T16:55:59","modified_gmt":"2009-01-31T00:55:59","slug":"security-professional-works-as-botmaster","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/30\/security-professional-works-as-botmaster\/","title":{"rendered":"Security Professional Works as Botmaster"},"content":{"rendered":"<p class=\"MsoNormal\">Security Professional John Schiefer has continued to work in the computer security field for 15 months while he has been waiting to be sentenced for being a botmaster of a 250,000 bot herd (<a href=\"http:\/\/www.theregister.co.uk\/2009\/01\/23\/botmaster_sentencing_kerfuffle\/\">http:\/\/www.theregister.co.uk\/2009\/01\/23\/botmaster_sentencing_kerfuffle\/<\/a>). This Los Angeles based security consultant has been awaiting sentencing since pleading guilty in November of 2007. Since then, Schiefer has stated that he has been working as a professional in the security field as well as a network engineer for an internet startup. The prosecutors have requested the minimum 60-month sentence, followed by five years of supervised release. Luckily, everyone in this class has signed an ethics form so nothing like this will happen.<\/p>\n<p class=\"MsoNormal\"><!--more--><\/p>\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\">The primary concern with this incident is the lack of regulation for people with specialized and potentially dangerous knowledge and skills. Although there is a definite need for people to have these skills, there needs to be laws in place so that those abusing their powers will face strong retribution. We have a similar situation with locksmiths, where individuals have knowledge and ability that could be taken advantage of to harm society. Unfortunately, the wild west of the Internet isn\u2019t yet as established as to have all the legal issues and restrictions ironed out.<\/p>\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\">What is especially disconcerting is that the ethics of Schiefer were flexible enough to go against professionalism and take advantage of others. This tarnishes the reputation of all security professionals. Although there are bad individuals in all professions, the idea that little separates the good and bad of security, the white hats and the black hats, is a concern that the security community must confront. The fact that Schiefer was hired on to continue work as a security consultant for a company after being convicted also hints at the malleability of the ethical ideals that could be conflated with computer security as a whole.<\/p>\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\">Another issue that this situation brings up is how to hold those who abuse computer security skills accountable. This is particularly relevant for our class. Although ethics forms were signed, what keeps students responsible with the knowledge they learn. Attacks and techniques learned in class are widely applicable to the web as a whole and could be easily abused for malicious purposes. To cite a recent example, cross site scripting attacks can be carried out across the web\u2014sometimes with little effort to devastating effect. Even companies such as Google are not immune to this attack as can be seen with the recent exploit (and subsequent fix) of the Google Sites login page. Overall, I believe the concern isn\u2019t whether these skills should be taught (the knowledge can be easily gained from other sources), but how to hold accountable those who use their ability to exploit society. As this incident with Schiefer shows, ethics can be extremely volatile. Perhaps they shouldn\u2019t be relied on to keep those in the security field from dabbling in illegal black hat actions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Professional John Schiefer has continued to work in the computer security field for 15 months while he has been waiting to be sentenced for being a botmaster of a 250,000 bot herd (http:\/\/www.theregister.co.uk\/2009\/01\/23\/botmaster_sentencing_kerfuffle\/). This Los Angeles based security consultant &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/30\/security-professional-works-as-botmaster\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":99,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,7],"tags":[],"class_list":["post-584","post","type-post","status-publish","format-standard","hentry","category-current-events","category-ethics"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/99"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=584"}],"version-history":[{"count":5,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/584\/revisions"}],"predecessor-version":[{"id":589,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/584\/revisions\/589"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}