RiSCiSO - another group of scenery, hit by the FBI
On June 29, 2005, during a Site Down operation, among others, a large-scale RiSCiSO scene group was attacked, working with almost all types of software: games, games and movies. Of the participants in the group, 19 people were arrested.
The group leader, 27-year-old Australian Sean O'Toole, was due to appear in court in Chicago on February 22, 2006. At the request of the FBI, his home in Perth, Australia, where he lived with his parents, was searched and numerous equipment was seized. He was threatened with up to 5 years in prison, a fine of 250 thousand and a claim for damages of one million dollars. However, on the appointed day he did not appear in court, and, despite the announced international search, he was never found .
')
In the indictment , which is still available on the US Department of Justice website, you can read details about the personalities of the suspects (most of them were IT specialists), their roles in the group, topsites that they used, and even how they were revealed .
At the very beginning of the document is a list of the accused, indicating the place of work and role in the group. People from different small cities across America, and not only by age from 22 to 57 years (average age 34 years) in some very interesting positions.
full list of accused
Sean Patrick O'Toole, 26, known as “chucky” from Perth, Australia, was the leader of the group, supervised all activities, provided access to servers, downloaded pirated content from remote servers, which he personally controlled.
Vahid Pazirandeh, 25, known as “vman”, from San Diego, California, worked at a university in a technical field. He was a site manager who was responsible for the installation, maintenance, and support of many servers of the group. Also provided equipment.
Linda Waldron, 57 years old, known as “bajantara”, from the island of Barbados, works as a broadcaster as a broadcaster. Helped the leader to interact with other members of the group, and to recruit new members.
Jeremiah Stevens, 27, known as “^ mort ^” from Jasper, Indiana, works for a company developing software for the US Navy.
Paul Yau, 32, known as “ann”, lives in Houston, Texas, and works as a system administrator with an Internet provider. It was a website.
Sandy Fury, 39, known as “asylum”, lives in West Hollywood, California, working in the field of computer security.
Marc Bartel, 33, known as “biosprint,” from Overland Park, Kansas, IT manager at a law firm. Saytop.
Tu Nguyen, 29, known as “dray”, from Chicago, Illinois, a software consultant, Ph.D. in Mathematics, is working on a doctoral thesis.
Richard Balter, 46, known as “ducky,” from Middle Island, New York. Received equipment from other group members for use in group servers.
Danny Lee, 31, known as “messy,” from Rosemead, California, is a free web developer.
Peter Andrew Holland, 22, known as “thebinary”, from Middletown, Ohio, is a college student. Was recently accepted into the group.
Jason Dobyns, 26, known as “supafly” from Tustin, California, works as a system administrator with an Internet provider. Provided space on your employer's servers to distribute pirated content.
David Lewis, 33, known as “keymaster”, from Costa Mesa, California, IT administrator at an architectural firm. He was a group tester, checked the performance of pirated programs, before they were uploaded to the server. He gave his password to the accused Matthew Cittell, who also went to the server under the name “keymaster”.
Matthew Cittell, 27, from Costa Mesa, California, tech support specialist for a marketing company.
Matthew Ploessel, 24, known as “kkits” and “stikk”, from Seattle, Wash., Is the owner of a computer security consulting firm. It was a website.
Joseph Toland, 44, known as “anim8,” from Rochester Hills, Michigan, IT director at a telecommunications company. Provided the group with pirated software.
Fred Amaya, 41, known as “audiovox,” from Chino Hills, California, is the data entry operator for the county’s state office. He was a site manager, also provided equipment for servers.
Lance Warner, 29, known as “transform,” from Portola Hills, California, works in the IT department of a major US company.
Gregg Piecyhna, 51, from New York. He was a longtime member of the group, and had high-level access to all servers of the group.
Vahid Pazirandeh, 25, known as “vman”, from San Diego, California, worked at a university in a technical field. He was a site manager who was responsible for the installation, maintenance, and support of many servers of the group. Also provided equipment.
Linda Waldron, 57 years old, known as “bajantara”, from the island of Barbados, works as a broadcaster as a broadcaster. Helped the leader to interact with other members of the group, and to recruit new members.
Jeremiah Stevens, 27, known as “^ mort ^” from Jasper, Indiana, works for a company developing software for the US Navy.
Paul Yau, 32, known as “ann”, lives in Houston, Texas, and works as a system administrator with an Internet provider. It was a website.
Sandy Fury, 39, known as “asylum”, lives in West Hollywood, California, working in the field of computer security.
Marc Bartel, 33, known as “biosprint,” from Overland Park, Kansas, IT manager at a law firm. Saytop.
Tu Nguyen, 29, known as “dray”, from Chicago, Illinois, a software consultant, Ph.D. in Mathematics, is working on a doctoral thesis.
Richard Balter, 46, known as “ducky,” from Middle Island, New York. Received equipment from other group members for use in group servers.
Danny Lee, 31, known as “messy,” from Rosemead, California, is a free web developer.
Peter Andrew Holland, 22, known as “thebinary”, from Middletown, Ohio, is a college student. Was recently accepted into the group.
Jason Dobyns, 26, known as “supafly” from Tustin, California, works as a system administrator with an Internet provider. Provided space on your employer's servers to distribute pirated content.
David Lewis, 33, known as “keymaster”, from Costa Mesa, California, IT administrator at an architectural firm. He was a group tester, checked the performance of pirated programs, before they were uploaded to the server. He gave his password to the accused Matthew Cittell, who also went to the server under the name “keymaster”.
Matthew Cittell, 27, from Costa Mesa, California, tech support specialist for a marketing company.
Matthew Ploessel, 24, known as “kkits” and “stikk”, from Seattle, Wash., Is the owner of a computer security consulting firm. It was a website.
Joseph Toland, 44, known as “anim8,” from Rochester Hills, Michigan, IT director at a telecommunications company. Provided the group with pirated software.
Fred Amaya, 41, known as “audiovox,” from Chino Hills, California, is the data entry operator for the county’s state office. He was a site manager, also provided equipment for servers.
Lance Warner, 29, known as “transform,” from Portola Hills, California, works in the IT department of a major US company.
Gregg Piecyhna, 51, from New York. He was a longtime member of the group, and had high-level access to all servers of the group.
After listing the accused, the act stated that
RISCISO was an underground organization founded around 1993 that was engaged in the illegal distribution of large volumes of copyrighted programs, games and movies on the Internet, especially fresh ones.
The above persons have intentionally violated copyright for personal financial gain.
It was a bit wrong. Here I want to go back in time and see some historical files.
The history of RiSCiSO began around 1993, when the BBS network was established. In one of the early nfo files, you can see the phone in clear text and an invitation to join them.
full .nfo file
A few years later, when the network expanded, all the phones and some city codes were already replaced by X. In 1998, BBS-ki still existed, but quickly replaced by Internet sites. It was then, in January 1998, the formation of a unit called RiSCiSO, which dealt exclusively with iso images, was announced. Those who wanted to join them were invited to email:
full .nfo file
At the end of the file you can see the copyright icons next to the name of the RiSC association and the declaration that they, as befits the scenery, do not pursue any financial benefits, and do not accept donations.
We now return to the official document. On the charge of criminal conspiracy, the history of the creation of topsites that the group used is described.
Around 1998 biosprint secretly installed a server in the offices of a telecommunications company in Kansas, they called it a topsite RM1. A few years later this server was discovered.
Around 2002 chucky, vman and stikk installed another server to replace him, also naming it RM1, in a large data center in Los Angeles. The server was part of the data center infrastructure.
In July 2003 in addition to RM1, they installed a server, which was originally called RM2, at the facilities of an Internet provider in Houston, where ann worked. When the server in Los Angeles became unavailable, they used it as a replacement. We will call him the Houston RM1.
Further, in December 2003. they started using the new server, which they called RM2.
For this, vman sent a computer and 17 hard drives to the Garden City by federal express, as he said, it was the equipment originally used in Los Angeles. They installed software that prevents server detection. However, the group members did not know that the computer on which RM2 worked was administered by an “informant” - a person collaborating with the investigation. Physical and remote access to the server was provided to this person by the leader of the group, chucky.
Around the end of 2004. on the Houston RM1 began to show technical problems, and in April 2005. he is completely out of order. As a result, the RM2 server became the group’s primary server for storing and distributing pirated material.
Apparently, for reinforcement of the charges, lists of programs and films downloaded or uploaded to the server are listed for each participant. Also for this purpose, there are numerous descriptions of IRC chats on a closed channel group. I translated only some of them.
IRC chat rooms
On July 25, 2004, the accused audiovox participated in a chat on the IRC channel #risciso, where he asked to upload a copy of the film “The Bourne Conspiracy” to the RM2 server.
On July 24, 2004, the accused biosprint participated in a chat on the IRC channel #risciso, where he informed the group that he could not go to the “SVCD” and “SVCD2” subdirectories on the RM2 server and asked for help.
On August 24, 2004, the accused asylum and the chucky group leader on the #risciso IRC channel discussed the security policy of the group, including a more secure password system and how to make sure that new people accepted into the group did not steal their content from them to organize their own warez sites.
On December 8, 2004, group members gathered to discuss how to find new members, especially with the ability to “open up” programs, as well as the adequacy of existing security measures for access to the server. The accused ^ mort ^ said that RiSCiSO should remove references to the roles of the participants in the group from the list so that law enforcement agencies could not find out what each of them is doing. He also warned that one should not write to nfo who exactly provided them with pirated programs.
On January 5, 2005, the accused anim8 asked on IRC channel #risciso why no new programs were uploaded to the RM2 server.
On January 11, 2005, the accused vman on the IRC channel #risciso was interested in software for deleting data from hard drives.
On January 11, 2005, the accused bajantara on the IRC channel #risciso suggested that a request directory be created on the server, into which applicants for joining the group could upload pirated materials.
On January 27, 2005, the accused stikk on the IRC channel #risciso discussed ann and the members of the RiSCiSO group “qm” and “max” with the accused how best to archive the accumulated pirated material, and how to find a new server for the group.
On May 31, 2005, the accused biosprint on the #risciso IRC channel talked with other members of the group, trying to figure out which of them had the right to give him access to the new RM2 server.
On July 24, 2004, the accused biosprint participated in a chat on the IRC channel #risciso, where he informed the group that he could not go to the “SVCD” and “SVCD2” subdirectories on the RM2 server and asked for help.
On August 24, 2004, the accused asylum and the chucky group leader on the #risciso IRC channel discussed the security policy of the group, including a more secure password system and how to make sure that new people accepted into the group did not steal their content from them to organize their own warez sites.
On December 8, 2004, group members gathered to discuss how to find new members, especially with the ability to “open up” programs, as well as the adequacy of existing security measures for access to the server. The accused ^ mort ^ said that RiSCiSO should remove references to the roles of the participants in the group from the list so that law enforcement agencies could not find out what each of them is doing. He also warned that one should not write to nfo who exactly provided them with pirated programs.
On January 5, 2005, the accused anim8 asked on IRC channel #risciso why no new programs were uploaded to the RM2 server.
On January 11, 2005, the accused vman on the IRC channel #risciso was interested in software for deleting data from hard drives.
On January 11, 2005, the accused bajantara on the IRC channel #risciso suggested that a request directory be created on the server, into which applicants for joining the group could upload pirated materials.
On January 27, 2005, the accused stikk on the IRC channel #risciso discussed ann and the members of the RiSCiSO group “qm” and “max” with the accused how best to archive the accumulated pirated material, and how to find a new server for the group.
On May 31, 2005, the accused biosprint on the #risciso IRC channel talked with other members of the group, trying to figure out which of them had the right to give him access to the new RM2 server.
At the end of the attached list of confiscated equipment, a total of 172 points, computers, laptops, hard drives, all with neatly recorded serial numbers. But there are such records there:
- one CPU, ASUS, with a power cord
- silver computer without side cover
- Homemade CPU (without serial number)
- Toshiba PCX 1000 modem, Serial # 301456532-71, Mac # 00-00-83-33-6A-67
- several cell phones with chargers
- Motorola pager AR # AC111804017
- IBM Deskstar hard drive labeled “Bad”
- Sony tape with “Danny Backup”
- Two Xbox Machines
- Cobalt Server RAQ3 Serial # 4C03BM0036985
On this indictment ends. What happened then with these people? Runaway Sean O'Toole apparently has not been found. And since in the United States a copyright violation is a less serious crime than in Russia, the statute of limitations, which is only 5 years, has long passed.
No information about the condemnation of other participants was also found, and in the USA such documents are neatly published, so I decided that they were able to agree with the investigation and get rid of fines. Adding to their age of 8 years, and googling, I found that most of them still live in the same small cities across America, many still work in IT, and some even registered on Github.
I don’t think that now one of them would be eager to share memories of the good old days, but they probably didn’t forget them. The world is small.
Source: https://habr.com/ru/post/180525/
All Articles