The short arm of the law

Over the years, IT administrators (or, to be more accurate, the sort of IT administrators who take part in the admittedly unscientific polls we conduct on the Sophos website) have generally come across as a rather punitive sort. In particular, our pollsters have regularly asked for harsher sentences for convicted cybercriminals.

For example, 60% said that Jeanson James Ancheta, a 21-year old bot-herder who is supposed to have had 400,000 zombie PCs under his control back in 2006, should have received a stiffer sentence than 57 months (that’s just under five years in Anglo-speak).

53% thought that the Blaster-B malware author, despite being just a teenager, got lucky with just an 18 month stretch.

And 78% suggested that Sven Jaschan, author of Sasser and Netsky (which many will remember as extremely troublesome worms, though not with any criminality beyond simply being malware), got off lightly. Perhaps he did get off lightly, at that, since he was put on probation and given 30 hours community service.

So I wonder what our steely-hearted admins will make of the matter of 22-year-old Brendan Roy Taylor from Perth in Western Australia? Taylor recently pleaded guilty to charges of dishonestly dealing in or obtaining personal financial information, and was sentenced last week.

It seems that Taylor acquired a bunch of phished credentials – apparently including 56,000 credit card numbers and 53,000 usernames and passwords – and then tried to flog them online. But Taylor picked an undercover cop as his potential sales target, and got caught.

Perth Magistrate's CourtNo doubt the police were delighted to get their man, but I doubt they were too pleased with Taylor’s punishment: a AU$150 fine (about £75 or US$120). Oh, and he did get a 12-month good behaviour bond – so if he commits another crime in the next year, he’ll go inside for a year, and be fined a further AU$2000, in addition to any other punishment for the subsequent offence.

I’m not going to complain about the apparent lightness of the sentence. Taylor pleaded guilty, after all, and the courts are entitled to be merciful if they see fit. But I’m not sure I agree with the magistrate’s comments describing Taylor as “a nerd, because you understand things I don’t,” and his observation that people “could have had their identities stolen.” (Source: “$150 fine for nerd who stole 60,000 lives”, Hayley Bolton, Sunday Times, Perth WA, 21 June 2009.)

Firstly, calling a convicted cybercriminal “a nerd” is in my opinion rather like referring to a wife-beater as an “overly vigorous chap”, or an arsonist as “stoked with burning ambitions.” It trivialises the nature of his crime, providing it with a veneer of harmless-sounding criticism. (It is also unfair to real nerds everywhere, somehow implying that those who are considered socially inept because they like to do geeky things with computers instead of partying are, ipso facto, prone to criminality.)

Secondly, we need to accept that once even a small piece of your personal data, or personally identifiable information, has been stolen, then you are already a victim of identity theft, albeit in a minor way.

Trafficking in stolen credit card data and other on-line identification is not a trivial matter. There is no need for the courts to wait until a cybercriminal amasses enough information to take out a mortgage or to acquire a passport in your name, for example, before considering that your identity has been stolen.

Let’s at least hope that prospective employers remember that Taylor is now a convicted cybercriminal and keep him away from any IT-related jobs until he has shown that he has reformed and can be trusted with such a role.

What do you think?

Trying to sell phished credentials online is…(surveys)