A Hacker's Audacious Plan To Rule the Underground 313
An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."
"Former white hat"? (Score:5, Interesting)
Catching Max Butler (Score:2, Interesting)
I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...
Rather interesting line at end of article... (Score:5, Interesting)
The USS cracked the Whole Disk Encryption of Max Butler.
Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?
No, I didn't think so either.
So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?
I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.
Not exactly (Score:5, Interesting)
Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.
Fun with exponents (Score:5, Interesting)
If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.
Re:Rather interesting line at end of article... (Score:5, Interesting)
The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text [wikipedia.org] before any significant progress could be made on decrypting it, while Blowfish [wikipedia.org] has "no known way to break".
So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.
Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)
Re:Article? (Score:4, Interesting)
Re:Rather interesting line at end of article... (Score:1, Interesting)
Re:Honest money (Score:3, Interesting)
Two things, AC.
1) You can't prove you're right any more than he can.
2) Regardless of who is right, his final thoughts as he leaves this world will be more pleasant than yours.
Re:Rather interesting line at end of article... (Score:4, Interesting)
That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).
Re:Rather interesting line at end of article... (Score:3, Interesting)
Nope, it's not. It's actually a horrible passphrase, since it contains only dictionary words.
Re:Rather interesting line at end of article... (Score:4, Interesting)
I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.
You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.
Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [nist.gov] [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)
Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.
Re:My Ambition (Score:5, Interesting)
void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key
And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.
Now can we move on? (And if thats you, peter, then you obviously are new here).
Sigh. (Score:4, Interesting)
I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.
What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!
Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.
He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.
My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.
From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.
Have fun!
Re:Article? (Score:4, Interesting)
Forget Doctors, even designers and typographers care about inaccuracies in popular media.
Check out this article about anachronistic fonts in movies [ms-studio.com].
People are weird: we seem to care about just about everything.
Re:Article? (Score:2, Interesting)
"awful" only means "deserving of awe,"
Now I have to be an etymology Nazi, and point some things out: When awful first came into our language (approx. 885AD, attributed to Alfred the Great), awe was an Anglo-Saxon word meaning "fear, dread, terror" (Oxford English Dictionary). At that point, awful DID mean "full of awe", but in the sense of "full of fear; full of dread".
It was much later (16th Century) that the word awesome came into being, and the word awe had changed to mean "dread mingled with veneration; reverential or respectful fear", mostly due to it's association with the God of the Bible.
So, you were correct in words changing meaning, but it was the word awe that had evolved, not the actual word awful.
/Nazi