Owen Thor Walker, an 18-year-old whose online alias was Akill, assumed responsibility for invading a network of 1.3 million computers, causing havoc at the University of Pennsylvania in 2007, and skimming an as-of-yet unknown amount of money from banks in the Netherlands.

The incident at UPenn occurred when Walker and Ryan Goldstein were attempting to update their botnet. While the denial of service attack affecting UPenn was accidental, it did lead to the arrest of Goldstein, who in turn directed police to Walker. The New Zealand Herald writes “While the New Zealand police were waiting for the FBI to finish its investigations” the NZ police began investigating several large deposits into Walker’s bank account. These were traced to ECS International, a company reported to be connected with similar situations. Walker claims to have sold his code to other people, and no one seems to know what happened to the skimmed money.

According to Technology Review eight people have been indicted, plead guilty, or convicted and an additional 13 warrants have been issued in the United States and abroad in association with this case. Walker’s supposed role as “kingpin” has not lead to additional charges. The ITNews Australia writes that Judge Arthur Tompkins “would not be considering a custodial sentence” due to Walker’s youth when writing the code—he claims to have been 15 at the time.

Botnets are devious. The New Zealand police are quoted by NZ Herald as saying Walker’s code is “considered by international cyber crime investigators to be among the most advanced bot programming encountered,” as it spread automatically, disabled anti-spyware software, deleted rival bots, and functioned mostly without detection. The Anti-Spyware Coalition provides an excellent definition of botnets:

A type of Remote Control Software, specifically a collection of software robots, or “bots,” which run autonomously. A botnet’s originator can control the group remotely. The botnet is usually a collection of zombie machines running programs (worms, Trojans, etc.) under a common command and control infrastructure on public or private networks. Botnets have been used for sending spam remotely, installing more spyware without consent, and other illicit purposes.

Botnets have been used for a variety of nefarious purposes from those listed above to last year’s attack against Estonia.

Nearly a year ago we identified hosting providers with the greatest number of infected sites (found by Google) on their networks. At the time, the dubious honor of “leader” was held by iPowerWeb, with over 10,000 infected sites. At the time, we worked with iPowerWeb as they cleaned up their infected sites and secured their servers. We did so again when they had a smaller breakout of infected sites in December.

Notably, in our latest top networks stats, you won’t see iPowerWeb. In fact, iPowerWeb is near the bottom of our list now, with only 66 infected sites on their network.

Kudos to iPowerWeb for taking steps over the past year to secure their hosting servers against attack and thereby protecting Internet users.

Reproduced with permission¹.

Two security researchers with artistic tendencies, Srikwan & Jakobsson, have created a set of cartoons to educate users on a wide variety of computer security topics. I think they tend to be a bit too focused on scaring people into awareness, but they do have some really good content, delivered in a comic style.

¹ This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. Please visit www.SecurityCartoon.com for more material.

The New York Times this weekend featured an editorial by Adam Cohen on erosions of user privacy caused by commercial behavioral tracking. While behavioral tracking (primarily through the use of cookies attached to web pages or to display ads) is not inherently bad, it’s important that companies employing tracking properly disclose what they’re doing in their privacy policies and user agreements.

Cohen notes that the scope of information a company can now learn about its users is larger than many users realize:

Web sites can charge a premium if they are able to tell the maker of an expensive sports car that its ads will appear on Web pages clicked on by upper-income, middle-aged men.

The information, however, gets a lot more specific than age and gender — and more sensitive. Tech companies can keep track of when a particular Internet user looks up Alcoholics Anonymous meetings, visits adult Web sites, buys cancer drugs online or participates in anti-government discussion groups.

Cohen also points out that in many cases, users don’t have enough information about how their personal tracking records will be used:

The bigger issue is the digital dossiers that tech companies can compile. Some companies have promised to keep data confidential, or to obscure it so it cannot be traced back to individuals. But it’s hard to know what a particular company’s policy is, and there are too many to keep track of. And privacy policies can be changed at any time.

Companies can help by making sure their privacy policies are easy to find and understand, and that these policies fully disclose what data is being tracked and how it is being handled after it is collected. StopBadware’s guidelines are a great place to start for pointers on best practices for disclosure.

For more information about cookies and their role in behavioral tracking and privacy, check out the videos from our Cookie Crumbles Contest last fall.

StopBadware.org’s parent organization, the Berkman Center for Internet & Society at Harvard Law School, is turning 10 years old this year and is celebrating by giving away $50,000 at its fund raising gala following the Future of the Internet conference:

The Berkman Center for Internet & Society at Harvard Law School is accepting nominations for the first Berkman Awards. The awards will be presented to people or institutions that have made a significant contribution to the Internet and its impact on society over the past decade.

The primary awardee will receive $50,000, and five smaller awards will be given in specific categories such as: human rights/global advocacy; academic and intellectual leadership; pro bono work; infrastructure/communications tools; arts/culture/media; and news/information/journalism.

There are no conditions placed on how the award money must be spent. Nominations for the award will be accepted from the public until April 11, 2008.

April 11 is this Friday, so if you have an idea for a person or organization to nominate, you’d better do so now.