Former Cal Poly student Sean Tiernan was sentenced to two years of probation Oct. 30 by a Pittsburgh judge for creating and selling a botnet that infected more than 77,000 computers. Tiernan was arrested in 2012 and pleaded guilty to a CAN-SPAM violation in 2013. The CAN-SPAM Act provides recipients with the right to stop people from emailing them. Tiernan was not given any jail time because his motives were considered to be “non-intrusive.”
“It certainly was wrongdoing … he broke the law for sure,” associate computer science and software engineering professor Foaad Khosmood said.
Computer science senior Max Zinkus said that putting a label on these types of computer violations can be a difficult task.
“It’s definitely a challenge to quantify harm with computer-related crimes … it’s always hard to keep laws up-to-date with technology,” Zinkus said. “They will always lag behind, but it’s important that we keep updating them so that they are dealt with in a way that is widely agreed upon.”
Tiernan rented out his software to send spam messages and used the money he made to pay for college. None of the information taken from infected computers was personal; only computer IP addresses were used. This can still be damaging because the infected computer is linked as the source that is sending out spam to other computers. Botnets use this tactic to avoid getting in trouble, Khosmood said.
“It would be like someone breaks into your garage, sets up this manufacturing operation to assemble spam or advertising and then uses your address for shipping and receiving. While [they’re] there, [they’re] taking up your space and your power. That’s the analogy and so I think that’s intrusive,” Khosmood said.
Khosmood said this type of computer hacking is most often used for spam. Someone infects the computers and then can rent them out and make money while a client is using the computers.
“It’s advantageous to them because if one computer sends out millions of spam emails, it’s easy to block that computer. But if there’s 77,000 computers sending out smaller amounts of spam, then it’s really hard to block all of them,” Khosmood said.
Computer science professor Clark Turner said this kind of behavior is not uncommon and hacking can be both a good thing and a bad thing.
As a student at Cal Poly, Tiernan took Professional Responsibilities (CSC 300), which teaches ethics, software system safety and intellectual property. Zinkus said there is always a possibility that students may take advantage of what they learn and use that knowledge negatively.
“Some of the biggest hackers who have made big trouble make a lot of money later because they are seen to be very knowledgeable people,” Turner said. “What kind of an ethical issue is that, rewarding bad behavior?”
Ethical Issues
Despite his violation, Tiernan was enrolled into Stanford’s CyberSecurity Graduate Program and is currently working to become a Certified Information Systems Security Professional.
Mustang News contacted the program in an effort to reach out to Tiernan, but there was no response.
Combating hacking on campus
Although cases such as Tiernan’s are not considered malcious, Cal Poly has made efforts to eliminate any computer hacking on campus.
The White Hat Club is an academic club dedicated to CyberSecurity education and learning how people attack computer systems in order to better defend them.
“Our goal is very much to educate and also to talk about what are our ethical responsibilities,” Zinkus said.
Zinkus is the president of the White Hat Club and said their mission is to foster an environment that teaches caution and the responsibilities that are necessary for computer science.
“What people do with knowledge is always up to them … Certainly these skills can be used for nefarious purposes, but we need people in the workforce to understand them in order to defend,” Zinkus said.
As long as it is profitable, Zinkus said computer hacking will continue to be an issue.
Email spam that occurred in the past has been automated with spam filters and significantly decreased, but innovations like blog spam and Facebook advertising have become the future of spam problems, Khosmood said.
“I think they’re going to be with us for the long term,” Khosmood said. “I think it’s going to be a continuous arms race and that’s just the nature of the beast.”