Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Charges And Pleas In Computer Crime Cases Involving Significant Cyber Attacks (justice.gov)
93 points by meri_dian on Dec 13, 2017 | hide | past | favorite | 55 comments


An unfortunate reason to see a former university classmate of mine in the news. It always feels strange to see this story come up every so often. I was never a friend of Jha's, nor was I every really close to him, but I remember him exactly as his attorney described him: "Paras Jha is a brilliant young man whose intellect and technical skills far exceeded his emotional maturity." Jha was not the only former classmate of mine whom I felt lacked emotional maturity, and it is harrowing to imagine how a command of technology can give anyone the power to do something like this if he chose.

Jha intentionally used his skills to inconvenience those around him and he was able to do a great deal of harm to the world at large. While technology makes us better suited to solve problems and help those less fortunate, it also amplifies an individual's ability to do harm.

Intentional malice aside, all of us have the ability to greatly effect the world around us. It is imperative that we consider the impact of our actions. While I was a student at Rutgers, there was no mandatory ethics class for computer science, nor do I remember a class on ethics for computer scientists being offered.


If the department had been in the School of Engineering, pretty sure there would have been a mandatory ethics class.


I've been told the administration at my university plans to move the compsci department out of the engineering department and in to the business school. I really haven't heard any pro to that yet other than "it makes the business people happy and there are more of them."


I used philosphy classes to fill some gen ed requirements, including ethics, but it was by no means required


There's two predominant end-games:

0) Recruit to a three-letter agency, putting talent to positive use under extra scrutiny and a short-leash.

1) "Throw away the key," squander his potential and make him a better criminal.

Hmm, which is better: repay society, generate taxes and give someone a second chance... or be "tough" on crime and let the cycle repeat again?


I don't buy your insinuation that he was just a brilliant mind who was immature enough to inconvenience others. I'm reading through https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-m... and Jha's actions sound like a real criminal. Yes criminal: he was using his technical prowess to bring down minecraft servers and steal customers, effectively running an online protection racket.

I know this sounds harsh but: I'm glad he has been charged with this law and I really really want this guy to be behind bars and think for a long time about what he did. Hopefully it will seriously discourage others from doing the same stuff he did.

On a slightly related note: I can't help but think how this dude could have had a highly successful career in computer security. But he chose to be a criminal. Why?


I read op's commentary more along the lines of emotional immaturity being present, he wasn't really surprised at the nature of the crimes. A lot of these emotionally immature individuals often times are part of the "do things for lulz" mindset. The fact that this started as Minecraft DDOS attacks, re-iterates the immaturity of the individual based on initial targets. I'm not defending these criminals by any means, but I would agree with OP that people whom fit the mental profile of potential asshat hackers are way more common than we'd like to admit. If every crazed rick and morty fan had the technical prowess to pull this stuff off... just imagine the chaos.


It wasn't my intention to detract from the fact that his actions were criminal


They should have thanked Brian Krebs, though. To be honest. Didn't he call out Jha long before anyone else knew?


He did, in this article published in January 2017: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-m...

It's a great read.


Interestingly, in addition to Paras Jha and Josiah White, the justice department's announcment mentions a guilty plea from Dalton Norman, who isn't mentioned in Krebs's article. I wonder what the story there is?


It's buried in the wired article, they found zero days to use to infect hosts.


Sorry, what Wired article is that?


"How a Dorm Room Minecraft Scam Brought Down the Internet" https://www.wired.com/story/mirai-botnet-minecraft-scam-brou...


Thanks!


thanks, interesting read. though it basically comes down to bad opsec on anna-senpai's part


Krebs almost never knows anything before "anyone else". Before the public or other journos, sure.


Obviously "anyone else" is hyperbolic, but whatever shade you want to throw at Krebs, he is serious about the job of investigative journalism for information security in a way literally nobody else in the industry seems to be.


Why do you think I'm trying to throw shade at Krebs? His journalism is excellent.

I just know that the FBI isn't so incompetent that they didn't already know who these guys were before Krebs wrote his article, enough people surrounding Mirai were already very familiar to them.


Sorry, it's a message board, tone is sometimes hard to tell! I apologize for jumping to the wrong conclusion.


Last few lines state how assistance was provided by various regional and international agencies, and then goes on to list google, coinbase, cloudflare, etc. Interesting.


Coinbase is the surprising one to me, since it is the only one on the list that operates at the application rather than network level. And there's no mention of bitcoin theft anywhere in the report, just DDOS.


Bitcoin payments in DDOS for hire, or extortion (as in we'll stop if you pay us). If they cashed out via coinbase, the authorities can find out who profited via the paper trail created.


He probably held his Bitcoin on coinbase.


Isn't that normal, desired and expected?


It said he got fined $250k for damages his hack caused...Ive always been curious how these fines work. Will he be paying that back after he’s out of jail and employed? Does he have a monthly payment depending on his income? Or can the equivalent be worked out in some type of community service or more jail time?

I ask because the guy is only 21 and now a felon...


They can garnish his wages after a small livable wage is achieved. Basically it will be almost impossible to ever get out of subsistence living. With his skill he may actually have a chance after a decade or two.


Wow, the implications of that are quite interesting. The effects of his sentencing can technically last for decades after he is out of jail. Funny how you never hear much about that in these trials...

But agreed being a convicted hacker won’t prevent him from being employed. Even by the government...


After an incident in my teens in the 90s, I've thought about this at length. The only conclusion I ever seem to draw is one of more criminal activity. Yes, I can hear the inbound downvotes, but I'm just being intellectually honest. How can we expect this kid to reform if we ensure he'll be living without any kind of reward for decades to come? Seems like some jail time would be much more productive. A $250k fine is a 10-20 year sentence of subsistence living. That's probably the worst way to try and give someone the "right" moral compass. The chances we'll reform someone are slim, compared to getting someone jaded by the sentence and incentivized to commit more crime just to get ahead. We won't be rehabilitating this guy with a fine like that.


It's not about him though. It's about signaling to everyone else that these crimes are taken seriously and will not be tolerated.


It's not ethical to use a human life for that message.


Do you mean it's not moral? Because that's what would make it bad.

I'd say it's morally wrong not to do so. Part of moral governance is to protect people from bad guys.


I believe both are the case.


He can move out of the country and never pay a penny.


Most countries bar tourist visas to felons, let alone residency permits.


Ah, I guess I sometimes forget just how lucky I am to be an EU citizen.

However, there's still a plenty of nice places that don't ask too many questions.


It's pretty standard fare when it comes to the career ambitions of prosecutors. One of the "better" cases is that of Stephen Watt, who was hit with such insane restitution and fines ($170MM) that he will never escape poverty.

For writing code. Not hacking, not exploiting systems or keylogging (someone else did that), not even intending his code to be used for these purposes. Just writing the code.

Federal prosecutors and judges are horrible, unfathomably evil people.


> For writing code. Not hacking, not exploiting systems or keylogging (someone else did that), not even intending his code to be used for these purposes. Just writing the code.

That's quite a misrepresentation of the situation: https://www.wired.com/2009/12/stephen-watt.

> Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX's network. The breach cost TJX $200 million, according to its 2009 SEC filing.

> Prosecutors never alleged that Watt received money for the software he wrote, or directly profited from the hacks. But they brandished more than 300 pages of chats the two friends exchanged that belied Watt's stated ignorance.

> As Gonzalez and his accomplices hacked target after target, he sent Watt links to news stories describing a tidal wave of debit fraud spreading around the world.

It's like saying "oh, I just made a timer circuit for my friend who I knew was blowing up buildings." Note: the $170 million isn't a "fine." It's restitution. Those are two different things. A fine is used to punish bad conduct. Restitution is used to make a victim whole. Conduct that isn't that "bad" can nonetheless result in huge restitution if it resulted in large damages to the victim. Don't do stuff that can result in huge damages if you don't want to be on the hook for them.


I don't know... There's a lot that's not being said in that article... As is the case in all articles about court cases... Or court cases, in general. I feel a very real, "burn the witch" attitude when it comes to hackers and coders mixing with the justice system...


It seems more like hackers tend to be a less aware of the seriousness of certain actions. There is much praise and awe for someone capable of getting past the security systems of big corporations, and some programmers want to prove themselves by doing that. What seems to be lost in the conversation is that it’s not just a technical feat, it might be a crime.

The law may be a little outdated, and yes more awareness is necessary. Until it’s changed though it is prudent to be careful about such things.


If he gets a $100k+ job in IT security, he'll have paid the fine in three years.


Are you forgetting the 30%+ in taxes not to mention living expenses?


With that record he isn't getting hired anywhere.


I personally know Paras. Brilliant guy, really fun to hang out with, and learned a lot of technical knowledge from him. He was my go-to guy (like a lot of other people in the class) to help me fix the programming problems that I can't fix quickly.

I think he hacked the school for the lolz.I dont think he even thought it would be this serious when he did it, with feds and possibly jail time. He probably just wanted to see what he could do.

Even finding out about his involvement in Mirai today, it still doesnt change what I think about his character, or his ethics. Knowing this now, I think he'll become very successful very soon.


That's horribly disappointing. The man hacked thousands of devices and used them to launch DDoSes. He attacked competing minecraft services to steal customers and generate a profit. His botnet was also used to attack Brian Krebs (security researcher) and Dyn.

This isn't up for despute- although Paras originally denied involvement in the botnet this plea agreement and his confession prove that he is both a liar and a criminal.

He may end up being a successful person in the long wrong, but that doesn't make him an ethical person.


Yeah he hacked minecraft services to generate a profit when he was 19 or 20, I wish I could do that when I was 19. I dont think I would have known better at the time either.

He's as responsible of taking down Dyn as Mikhail Kalashnikov is responsible for all the people killed by the ak-47. He simply open sourced a tool for other people to use however they like.

He took the plea to reduce the sentence and the legal expense.


They literally founded a company, "Protraf Solutions LLC", that would DDoS people for profit.

Your AK-47 claim also shows that you really don't know anything about this case and are just trying to justify why you still like your friend. They open sourced their botnet four days after they DDoSed Dyn and Krebs- it wasn't random people who used this software for the attack, it was their company that did so.


When you were 19/20, you didn't realize creating a botnet to take down competing businesses would be illegal?


"Men do not differ much about what things they will call evils; they differ enormously about what evils they will call excusable."

- G.K. Chesterton


Anyone with a brain would know it's illegal, just like anyone would know selling weed is illegal unless you own a dispensary, and can get a really harsh sentence.


Sure, but selling weed generally doesn't harm anyone, while sabotaging and extorting a company directly causes harm to its owners, employees, shareholders, and customers. Not to mention the harm caused by infecting millions of people's devices to create the botnet in the first place.


What is the point you're trying to make here, that somehow this was a victimless crime?


Looks like HN effectively DDOS'd justice.gov


English grammar and orthography are weird and funky, but given that the title is summarized anyway, can we change “has plead” to “has pleaded” or “pleads”


Sure, that sounds better




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: