A Hacker's Audacious Plan To Rule the Underground 313
An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."
Re:White hat? (Score:4, Informative)
It comes from old Western movies. The "good guy" cowboys all wore white hats, and the "bad guys" wore black hats.
Re:White hat? (Score:2, Informative)
Re:Fiction worthy of Stephen Glass! (Score:3, Informative)
HTH - http://en.wikipedia.org/wiki/Tenderloin,_San_Francisco,_California [wikipedia.org]
CHECK MATE (Score:2, Informative)
If you're going by the Roman definition, modern definition such as 'decimation in time' can mean any size reduction of a set, although I don't think down to zero.
Although, Lindsay Nagel would disagree, since zero is a percent.
Re:My Ambition (Score:3, Informative)
I've noticed a few of these "What's up with teh red stories on teh front page" comments lately. Are the posters truly unaware of the significance of the red border, or are these posts a variation on the Obama turd trolls or something? I've seen similar comments posted in other threads. Some - like this one - even go so far as to post a link to a screen shot, to "prove" that they really saw a story in red!!!
Mind you, I had the same "am I losing my mind?" reaction when the user page was changed without warning or explanation a month or so ago. My troll radar just goes a little crazy when someone questions something only a logged-in subscriber would see but posts a question about it anonymously.
Assuming you're not trolling, subscribers get to preview summaries before they are posted to the front page. The previews are bordered in red, so you know they have not yet gone live.
Re:Rather interesting line at end of article... (Score:4, Informative)
AES does not come from the NSA. "AES" stands for "Advanced Encryption Standard", and the algorithm selected, Rijndael, comes from two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted it to the AES selection process. All algorithms that took part were publicly evaluated for five years by the cryptography community at large, and Rijndael was selected pretty much by public acclaim.
Re:White hat? (Score:3, Informative)
It's a grey area, which is why those who hack purely for the personal satisfaction, rather than for "good" or "bad" motives are called grey hats. :)
Re:Why didn't the FBI do the disruption? (Score:3, Informative)
Re:Article? (Score:5, Informative)
Yes, just as "homophobe" only means "afraid of that which is the same as them," "you" is only the polite form of indicating the addressee ("ye" being the casual form), "villa" only means "farm," "awful" only means "deserving of awe," and "girl" only means "young child of either sex," [etymonline.com].
Here's a tip: words change meaning.
Re:My Ambition (Score:3, Informative)
AFAIK that was an internal thing they did as a joke. Still great though.
Re:White hat? (Score:3, Informative)
White hats don't hack networks without permission, even if they plan to alert the network owner later. That is pure gray hat territory.
White hat hackers do pen tests, but only when given permission (or, more often, are hired to do so).
Here's the FBI's own press release... (Score:2, Informative)
Re:Rather interesting line at end of article... (Score:1, Informative)
It's actually a horrible passphrase, since it contains only dictionary words
Depends on what sort of attack you're expecting. A seven ASCII character password has complexity of at most 95^7 ~= 7e13. But since the English language has ~500,000 words, a six word pass phrase has complexity of 500,000^6 ~= 1e34. Of course, a black hat can probably eliminate most words (100,000^6 ~= 1e30). Statistical chaining can probably knock off a bunch of combinations which don't make sense - say we loose an order of magnitude of each. We're still at 10,000^6 ~= 1e24. Even if we lose two orders of magnitudes, we're still at 1000^6 ~= 1e18. In fact, if we lengthened the phrase to 7 words "Peter Piper Picked A Red Pickled Pepper", we could do chaining with only 100 options, and still have a complexity greater than your "strong" 7 character ASCII code (100^7 > 95^7).
But step back a minute and think about what the attacker has to do to reduce it to "par" with your seven letter password. He has to decide which subset of words to take and then he has to perform natural language processing to figure out which word combinations are likely. Throughout this, we've assumed that the attacker is smart enough to know that we've used at most a seven word passphrase, have separated the words with spaces, only picked from a certain subset of common words, and made a sentence which makes sense grammatically. Let's back up to the point where the attacker has just got done with all 1e10 five word combinations. What will he test next? Will he gamble that you're favorite word might be truncheon? Will he account for the possibility that you've intentionally (or accidentally) a word? That you've used underscores instead of spaces? Or that you've extended the pass phrase to six (or seven (or eight?)) words? Or that you might have added an exclamation point or other punctuation at the end? (Re-examine the phrase given by Stikypad closely.)
This is assuming he's running through the pass phrases systematically, and is being exceptionally clever and knowledgeable, and knows for damn sure you've only used words in the dictionary. Something as simple as 'Cyberax Picked A Pickled Pepper' would completely mess up his system.
By the way, a stupid attacker brute forcing it would have cracked your "strong" seven character "#$q%{:}" password millennia before he ever got to the 36 character "Peter Piper Picked A Pickled Pepper!".
It's true that using a phrase that was easily Google-able (e.g. "Peter Piper Picked a Peck of Pickled Peppers") would probably fall quickly, like using "password" for your password would. But the same holds true for the easily guessed "p4ssw0rd" - using "Leet speak" in passwords is so often recommended for "hardening" passwords, that only an idiot would discount it. If I was a hacker, "p4ssw0rd" would be in the first 1000 I'd try, despite it not being in the dictionary.
Re:My Ambition (Score:3, Informative)
Here [slashdot.org]'s a thread from yesterday that has a lot of posts about it. Logged in non-subscribers and ACs report seeing stories with red borders, so either everyone has been granted access to stories from the mysterious future or something's broken (borken???). Taco's journal may yield some clues, but I'm cooking dinner right now.
Re:Improve your '+1-Funny' mileage on /. (Score:1, Informative)
Already been done: New Here [slashdot.org]
Re:My Ambition (Score:4, Informative)
Just a note: The sig char limit seems to have been increased to 120. I don't know when that happened, but if you go to Help & Preferences, General, scroll down to Sig and click the [?], it says 120.
An upgrade like that, I don't mind. As for the userpage, it's still ruined one of my favorite parts of Slashdot, and I'm fucking bitter about it