Slashdot Log In
A Hacker's Audacious Plan To Rule the Underground
Posted by
ScuttleMonkey
on Mon Jan 05, 2009 04:47 PM
from the ambition-can-carry-you-just-so-far dept.
from the ambition-can-carry-you-just-so-far dept.
An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."
Related Stories
Submission: A Hacker's Audacious Plan to Rule the Underground by Anonymous Coward
[+]
An FBI Agent's 3 Years Undercover With Identity Thieves 196 comments
snydeq writes "InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws, the infamous underground carding board hacked by Max Butler and later transformed by Mularski into an FBI sting operation. The three-year tour sent Mularski deeper into the world of online computer fraud than any FBI agent before, resulting in 59 arrests and preventing an estimated $70 million in bank fraud before the FBI pulled the plug on the operation in October."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
My Ambition (Score:5, Funny)
</humor>
Re: (Score:3, Informative)
I've noticed a few of these "What's up with teh red stories on teh front page" comments lately. Are the posters truly unaware of the significance of the red border, or are these posts a variation on the Obama turd trolls or something? I've seen similar comments posted in other threads. Some - like this one - even go so far as to post a link to a screen shot, to "prove" that they really saw a story in red!!!
Mind you, I had the same "am I losing my mind?" reaction when the user page was changed without warnin
Re:My Ambition (Score:4, Funny)
buggy slashcode
+1 Redundant
Parent
Re: (Score:3, Funny)
Re: (Score:3, Informative)
AFAIK that was an internal thing they did as a joke. Still great though.
Re:My Ambition (Score:5, Interesting)
void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key
And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.
Now can we move on? (And if thats you, peter, then you obviously are new here).
Parent
Re:My Ambition (Score:4, Informative)
Just a note: The sig char limit seems to have been increased to 120. I don't know when that happened, but if you go to Help & Preferences, General, scroll down to Sig and click the [?], it says 120.
An upgrade like that, I don't mind. As for the userpage, it's still ruined one of my favorite parts of Slashdot, and I'm fucking bitter about it
Parent
"Former white hat"? (Score:5, Interesting)
The article leaves out a key piece (Score:5, Funny)
I went to school with Max Butler. He's driven by constant challenges. I knew Max as a friend and as such witnessed the same vitriol and hatred he put up with from others who did not understand him. Teachers often openly mocked him, especially in computer science courses.
His escape from it all came from hacking. He noticed he had a particular knack for it. He'd get really engrossed, and it became sort of a downward spiral from there. If you know anyone like him, please do not ostracize him in his forming years. Imagine if he had been a solid, contributing member of society like timecop, or the millions of other good natured people that run trolling organizations that specialize in making fools out of idiots like yourself.
Re:The article leaves out a key piece (Score:5, Insightful)
There's a huge difference between criticism and ridicule. To be frank, most of us went through that kind of stuff growing up. Very few of us turned out anti-social.
Parent
Re:The article leaves out a key piece (Score:5, Funny)
I went to school with Anonymous Coward. He's driven by shame. I knew AC as a friend and witnessed the same vitriol and hatred he put up with from others who did not understand him. Users often openly mocked him, especially after he posted comments about Apple Computer.
His escape came from posting. He noticed he had a particular knack for it. He'd sometimes post a thousand times a day to Slashdot (just check the logs and you can verify this for yourself). If you know others like him (such as Anonymous Howard, Eponymous Dotard, Androgynous Blowhard), please do not euthanize him in his cromulent fears.
Parent
Re:mod parent troll (Score:5, Funny)
you all must be new here.
Please stop bringing me into this!
Parent
Article? (Score:5, Insightful)
This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".
Re:Article? (Score:5, Funny)
Wouldn't decimating them mean having to leave 90% of the logins?
Parent
Re:Article? (Score:5, Informative)
Yes, just as "homophobe" only means "afraid of that which is the same as them," "you" is only the polite form of indicating the addressee ("ye" being the casual form), "villa" only means "farm," "awful" only means "deserving of awe," and "girl" only means "young child of either sex," [etymonline.com].
Here's a tip: words change meaning.
Parent
Re:CHECK MATE (Score:5, Funny)
since zero is a percent.
Please, let's leave the value of my 401k out of this.
Parent
Re: (Score:3, Insightful)
Well, no readership otherwise. For all my SO knows, I could be hacking the great Chinese firewall. She would not know otherwise and would not care. Trying to get Adobe flashplayer 10 64bit alphaOMGpre-release to work on Ubuntu looks exactly the same as hacking the Chinese Embassy's coke machine server to her if there is no narrative to let her know what is exactly happening.
Re:Article? (Score:5, Funny)
True, but I'll bet there were lots of cool graphics swirling around his head while he was doing it!
Parent
Re:Article? (Score:4, Interesting)
Parent
Re:Article? (Score:4, Interesting)
Forget Doctors, even designers and typographers care about inaccuracies in popular media.
Check out this article about anachronistic fonts in movies [ms-studio.com].
People are weird: we seem to care about just about everything.
Parent
Honest money (Score:4, Insightful)
The way I figure it all the effort that goes into making big money doing crime would be better used in the 'real' world.
I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.
Honest money allows me to sleep at night and at the end of this train ride, the books will be balanced and that man in the sky will do the accounting and even it all out.
Re:Honest money (Score:4, Insightful)
The onus is on the believers, fool
True enough, but you've missed something. Both sides in this argument believe something. Something unprovable.
I would reserve the 'fool' for someone who missed that point. Perhaps you could benefit from a logic refresher yourself, AC.
Parent
Re:Honest money (Score:4, Insightful)
To require proof (or evidence) of a thing in order to believe it exists is not a belief, but simply rational scepticism.
If I tell you that sea water is made of supernatural jello, you are perfectly capable of asking me for some proof without forming a new "belief" that seawater is *not* made out of supernatural jello. Perhaps, you could argue that valuing scepticism is a belief, but then the onus is not on the GP to disprove God but simply to prove scepticism in general has value (easy).
Parent
Ah. It all becomes clear (Score:5, Insightful)
It wasn't that this guy was whacking other underground sites, it's that he also nailed the FBI's "sting" website. The FBI and him engaged in a turf war, because if there's one thing the government hates, it's stealing. It hates competition.
Rather interesting line at end of article... (Score:5, Interesting)
The USS cracked the Whole Disk Encryption of Max Butler.
Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?
No, I didn't think so either.
So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?
I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.
Re:Rather interesting line at end of article... (Score:5, Funny)
The USS cracked
Sounds like the worst name ever for a ship.
Parent
Re: (Score:3, Insightful)
Re:Rather interesting line at end of article... (Score:5, Insightful)
If the encryption isn't government-farm proof then it's kind of worthless as encryption.
Parent
Re:Rather interesting line at end of article... (Score:5, Insightful)
analysis of keyboard wear [...] might have assisted the effort greatly
No. It would not. It's pretty simple. How many times do you type your password vs. how many times do you type some other word? Try doing some computer simulations if you don't believe me. The data will be lost in noise.
The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary.
No. The point is to take advantage of math problems that are asymmetrically hard to solve.
The goal is to create the largest force multiplier you can. This is how crypto differs from regular security.
The perfect cipher would be simple enough for a human to compute readily on a single piece of paper while resisting the brute forcing efforts of a computer built using every atom on earth, clocked at one terahertz and running since the beginning of the universe. It's a issue of scale. The "force multiplier" effect avaible from crypto is greater than anything in the physical security world. Imagine instead that instead of working with of E = MC^2, you were working with E = C*2^M. See how it's different? The work required to brute force a key baloons very quickly.
Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.
No, actually that's not a certainty.
In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.
If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.
which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace.
BASED ON WHAT? Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources? Why not milliseconds? Why not millenia?
You have NO IDEA, what a reasonable time scale would be and you're just talking out your ass here.
I suppose some my consider me rude for point that out, but there are those of us who find people randomly making things up to support their argument to be rude.
Parent
Re:Rather interesting line at end of article... (Score:5, Interesting)
The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text [wikipedia.org] before any significant progress could be made on decrypting it, while Blowfish [wikipedia.org] has "no known way to break".
So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.
Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)
Parent
Re:Rather interesting line at end of article... (Score:4, Interesting)
I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.
You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.
Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [nist.gov] [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)
Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.
Parent
Re: (Score:3, Insightful)
The main problem with encryption now is that you can't remember good enough keys anymore.
It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.
Fun with exponents (Score:5, Interesting)
If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.
Parent
Re:Rather interesting line at end of article... (Score:4, Interesting)
That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).
Parent
Re:Rather interesting line at end of article... (Score:4, Informative)
AES does not come from the NSA. "AES" stands for "Advanced Encryption Standard", and the algorithm selected, Rijndael, comes from two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted it to the AES selection process. All algorithms that took part were publicly evaluated for five years by the cryptography community at large, and Rijndael was selected pretty much by public acclaim.
Parent
Obsession (Score:5, Insightful)
Re:Obsession (Score:4, Insightful)
So you mean it's like World of Warcraft? :-)
Parent
not really... (Score:5, Insightful)
I think this dubious honor belongs to the US government.
Sigh. (Score:4, Interesting)
I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.
What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!
Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.
He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.
My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.
From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.
Have fun!
Re:White hat? (Score:4, Informative)
It comes from old Western movies. The "good guy" cowboys all wore white hats, and the "bad guys" wore black hats.
Parent
Re:White hat? (Score:5, Funny)
Don't forget "green hat." Those are hackers who shut down computers across the globe in order to reduce the world's carbon footprint.
Parent
Re: (Score:3, Informative)
It's a grey area, which is why those who hack purely for the personal satisfaction, rather than for "good" or "bad" motives are called grey hats. :)
Re: (Score:3, Informative)
White hats don't hack networks without permission, even if they plan to alert the network owner later. That is pure gray hat territory.
White hat hackers do pen tests, but only when given permission (or, more often, are hired to do so).
Re:Catching Max Butler (Score:4, Insightful)
I must be new here, because it's difficult for me to believe that you didn't RTFA!
He's in a prison in Pennsylvania playing D&D while awaiting his trial.
Parent
Re: (Score:3, Informative)
HTH - http://en.wikipedia.org/wiki/Tenderloin,_San_Francisco,_California [wikipedia.org]
Re:He was used (Score:5, Funny)
Isn't hackorX really Max's long-lost brother Rex Hackor, in disguise?
Parent
Not exactly (Score:5, Interesting)
Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.
Parent
Re: (Score:3, Insightful)
>
The obvious question: why didn't the FBI do this rather than set-up a honeypot site?
Police and prosecutors are rewarded based on the number of arrests and convictions, and not necessarily on reduction in crime?
Re: (Score:3, Informative)
Re:Very unfair image (Score:5, Insightful)
Parent