No jail time for botnet creator who promises to go straight

A US federal court has given a break to yet another botnet operator who claims that he’s leaving cybercriminality behind.

Sean Tiernan, 29, of Santa Clara, Calif., was sentenced last week by a US District Court in Pittsburgh to two years probation but no prison time for his involvement with a spam botnet, beginning in 2011.

According to the Department of Justice, Tiernan was involved in the development of the botnet from at least 1 August 2011 until he was raided by the FBI 14 months later.

Tiernan would sell access to his botnet to those who sought to send out these commercial electronic email messages for their own personal commercial gain. At the time of the search of Tiernan’s residence and computer via a search warrant on or about 1 October 2012, over 77,000 bots, or infected computers, were active in Tiernan’s botnet.

Tiernan’s lawyers argued – obviously successfully – that their client deserved leniency for several reasons. As soon as the FBI raided his residence, he confessed and began cooperating with them. A year later, he confessed to a CAN SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) violation.

As Bleeping Computer reported, his lawyer also argued that while the damage caused by the botnet was real, it was relatively minor – it did not steal the financial data of the victims, it did not extort them, the malware was easily removable and it only collected IP addresses, which courts no longer consider to be private data.

They noted that the spam traffic generated was just advertising, not malware-laden files. And that he didn’t make all that much profit and used it for a worthy cause – his college education. He was a student at Cal Poly when the FBI showed up at his door.

The defense also argued for leniency because Tiernan was just a kid when he got involved. They said his father was a computer consultant, he learned to code when he was a teen and was still a minor when his involvement with the botnet began.

But by 2011 he was into his 20s – a legal adult. Eligible to drink, to vote, to rent a car, to execute contracts and all other adult privileges. Which would seem to make him ineligible to claim adolescence as a defense.

However, his lawyer said he now intends to go straight – that he is enrolled in the Stanford CyberSecurity Graduate Program and is working to become a Certified Information Systems Security Professional (CISSP). He has also, “been employed continuously with a well-known company in the cybersecurity sector.” Perhaps well-known, but neither the company nor Tiernan’s job title was named.

Jody Westby, CEO of Global Cyber Risk and a cybercrime consultant, was not impressed with the sentence.

It reflects a gross lack of awareness and understanding by the judge of [cybercrime] incidents and the harm they cause. Every one of the 77,000 computers he controlled was infected with an unauthorized software program that allowed the computer to be remotely accessed and used to send spam.

That is not only a criminal violation but also a trespass to chattels and a misappropriation of the proxy computers and use of their systems and networks. This sends exactly the wrong message to cybercriminals.

Tiernan is, of course, not the first, or the most famous, cybercriminal to turn to legitimate work. Kevin Mitnick, once known as “the world’s most-wanted hacker,” and who served five years in prison for multiple computer-related crimes, is now head of Mitnick Security Consulting and chief hacking officer at KnowBe4.

Mustafa Al-Bassam, a founding and former member of LulzSec, who went by the alias tFlow, joined Secure Trading, a UK-based online payment firm, last year as a part-time security adviser while working on a degree in computer science at King’s College, London.

He was arrested in July 2011, and received a suspended 20-month prison sentence, was ordered to perform 500 hours of community service and banned from the internet for two years for his role in LulzSec.

And Hector “Sabu” Monsegur, another LulzSec founder, who then later helped take it down, was arrested by the FBI in 2011, but the arrest was kept secret and he was an informant for the agency for the next 10 months.

About a year ago, he joined Rhino Security Labs in Seattle.

Westby doesn’t oppose second chances for cybercriminals, but said it, “should not be easy.”

They are criminals. They could teach or do research but it should take a long while to prove they are reformed and a valued employee before they are allowed to get near a client’s systems. It is one thing to give a person a chance and another to simultaneously put a client at risk.

She added that if Tiernan is going to be working on client accounts, his history should be disclosed first. And she said the company should probably be in touch with its insurer, to make sure it would cover, “any wrongful actions undertaken by that person.”