A Hacker's Audacious Plan To Rule the Underground 313
An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."
My Ambition (Score:5, Funny)
</humor>
Re: (Score:3, Informative)
I've noticed a few of these "What's up with teh red stories on teh front page" comments lately. Are the posters truly unaware of the significance of the red border, or are these posts a variation on the Obama turd trolls or something? I've seen similar comments posted in other threads. Some - like this one - even go so far as to post a link to a screen shot, to "prove" that they really saw a story in red!!!
Mind you, I had the same "am I losing my mind?" reaction when the user page was changed without warnin
Re: (Score:2)
Re: (Score:3, Funny)
That must be because you're The One, and you are here to save us. Talk you the Oracle in the park - she might tell you what you need to know.
Re:My Ambition (Score:4, Funny)
buggy slashcode
+1 Redundant
Re: (Score:3, Informative)
Here [slashdot.org]'s a thread from yesterday that has a lot of posts about it. Logged in non-subscribers and ACs report seeing stories with red borders, so either everyone has been granted access to stories from the mysterious future or something's broken (borken???). Taco's journal may yield some clues, but I'm cooking dinner right now.
Re: (Score:3, Funny)
Re: (Score:3, Informative)
AFAIK that was an internal thing they did as a joke. Still great though.
Re:My Ambition (Score:5, Interesting)
void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key
And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.
Now can we move on? (And if thats you, peter, then you obviously are new here).
Re:My Ambition (Score:4, Informative)
Just a note: The sig char limit seems to have been increased to 120. I don't know when that happened, but if you go to Help & Preferences, General, scroll down to Sig and click the [?], it says 120.
An upgrade like that, I don't mind. As for the userpage, it's still ruined one of my favorite parts of Slashdot, and I'm fucking bitter about it
Re: (Score:3, Insightful)
Any-key-humor was slightly funny twenty years ago when Homer Simpson couldn't find the Any key.
``Press any key'' unambiguously means that any keyboard input is acceptable.
The real point of the humor is that users (who are native English speakers) get so acustomed to grammatically-gutted error messages which lack proper capitalization, punctuation and the use of articles like "a" and "the", that they no longer parse ``press any key'' in the obvious way. It's a computer message so there must be article missin
"Former white hat"? (Score:5, Interesting)
He was used (Score:2)
...by hackorX, the true ruler of the hacker underground. You've been warned script kiddie hacker wannabes.
Re:He was used (Score:5, Funny)
Isn't hackorX really Max's long-lost brother Rex Hackor, in disguise?
The article leaves out a key piece (Score:5, Funny)
I went to school with Max Butler. He's driven by constant challenges. I knew Max as a friend and as such witnessed the same vitriol and hatred he put up with from others who did not understand him. Teachers often openly mocked him, especially in computer science courses.
His escape from it all came from hacking. He noticed he had a particular knack for it. He'd get really engrossed, and it became sort of a downward spiral from there. If you know anyone like him, please do not ostracize him in his forming years. Imagine if he had been a solid, contributing member of society like timecop, or the millions of other good natured people that run trolling organizations that specialize in making fools out of idiots like yourself.
Re: (Score:2)
You could be Max Butler himself. for all we know, trying to employ a little PR here.
I'm just sayin'. Your key piece isn't very useful until we actually know that it's true.
Re:The article leaves out a key piece (Score:5, Insightful)
There's a huge difference between criticism and ridicule. To be frank, most of us went through that kind of stuff growing up. Very few of us turned out anti-social.
Re:The article leaves out a key piece (Score:5, Funny)
I went to school with Anonymous Coward. He's driven by shame. I knew AC as a friend and witnessed the same vitriol and hatred he put up with from others who did not understand him. Users often openly mocked him, especially after he posted comments about Apple Computer.
His escape came from posting. He noticed he had a particular knack for it. He'd sometimes post a thousand times a day to Slashdot (just check the logs and you can verify this for yourself). If you know others like him (such as Anonymous Howard, Eponymous Dotard, Androgynous Blowhard), please do not euthanize him in his cromulent fears.
Re:mod parent troll (Score:5, Funny)
you all must be new here.
Please stop bringing me into this!
Re: (Score:3, Insightful)
I think, by declaring liberals as extremists, you pretty well defined hypocrisy with your post.
You use your first 2 sentences to denounce up a type of behavior, and then engage in that very behavior in the very next sentence, you didn't even break for paragraph. Thank you for your demonstration, it may even cover cognitive dissonance as well as hypocrisy.
You know damn well that not all (not even most, and you KNOW it) liberals are extremists like that. On top of that you know (you KNOW) that there are con
I guess it's time . . . (Score:2)
Article? (Score:5, Insightful)
This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".
Re:Article? (Score:5, Funny)
Wouldn't decimating them mean having to leave 90% of the logins?
CHECK MATE (Score:2, Informative)
If you're going by the Roman definition, modern definition such as 'decimation in time' can mean any size reduction of a set, although I don't think down to zero.
Although, Lindsay Nagel would disagree, since zero is a percent.
Re:CHECK MATE (Score:5, Funny)
since zero is a percent.
Please, let's leave the value of my 401k out of this.
Re:Decimate (Score:2)
Yea, but they seem to be trying to make it mean *leave* 10%.
Re: (Score:2)
Yeah, but just one man alone was able to take out 10% with just a few keystrokes! Such horrific power! Which of the remaining 90% will be next?
After he had access, that is. Yeah, this would be written better if it simply said:
"...he was able to take control of the computers. With said control, the computers did everything he told them to do including delete stuff."
Re:Article? (Score:5, Informative)
Yes, just as "homophobe" only means "afraid of that which is the same as them," "you" is only the polite form of indicating the addressee ("ye" being the casual form), "villa" only means "farm," "awful" only means "deserving of awe," and "girl" only means "young child of either sex," [etymonline.com].
Here's a tip: words change meaning.
Re: (Score:3, Funny)
The internet is serious business.
Also,
http://qwantz.com/archive/001377.html [qwantz.com]
Re: (Score:3, Insightful)
Well, no readership otherwise. For all my SO knows, I could be hacking the great Chinese firewall. She would not know otherwise and would not care. Trying to get Adobe flashplayer 10 64bit alphaOMGpre-release to work on Ubuntu looks exactly the same as hacking the Chinese Embassy's coke machine server to her if there is no narrative to let her know what is exactly happening.
Re:Article? (Score:5, Funny)
True, but I'll bet there were lots of cool graphics swirling around his head while he was doing it!
Re: (Score:2)
Re: (Score:2)
Re:Article? (Score:4, Interesting)
Re:Article? (Score:4, Interesting)
Forget Doctors, even designers and typographers care about inaccuracies in popular media.
Check out this article about anachronistic fonts in movies [ms-studio.com].
People are weird: we seem to care about just about everything.
Honest money (Score:4, Insightful)
The way I figure it all the effort that goes into making big money doing crime would be better used in the 'real' world.
I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.
Honest money allows me to sleep at night and at the end of this train ride, the books will be balanced and that man in the sky will do the accounting and even it all out.
Re: (Score:2)
Re: (Score:3, Interesting)
Two things, AC.
1) You can't prove you're right any more than he can.
2) Regardless of who is right, his final thoughts as he leaves this world will be more pleasant than yours.
Re:Honest money (Score:4, Insightful)
The onus is on the believers, fool
True enough, but you've missed something. Both sides in this argument believe something. Something unprovable.
I would reserve the 'fool' for someone who missed that point. Perhaps you could benefit from a logic refresher yourself, AC.
Re:Honest money (Score:4, Insightful)
To require proof (or evidence) of a thing in order to believe it exists is not a belief, but simply rational scepticism.
If I tell you that sea water is made of supernatural jello, you are perfectly capable of asking me for some proof without forming a new "belief" that seawater is *not* made out of supernatural jello. Perhaps, you could argue that valuing scepticism is a belief, but then the onus is not on the GP to disprove God but simply to prove scepticism in general has value (easy).
White hat? (Score:2, Funny)
Just showing my ignorance here, but can someone give me a definition of what 'hat colors' mean? Red Hat I know (I guess), but White Hat? Black Hat? Blue Hat?
Someone throw me a bone, here.
Re:White hat? (Score:4, Informative)
It comes from old Western movies. The "good guy" cowboys all wore white hats, and the "bad guys" wore black hats.
Red and Yellow Hats (Score:2)
The Yellow Hat [wikipedia.org] sect of Tibetan Buddhism is the school that the Dalai Lama and Panchen Lama belong to, as opposed to the Nyingma or Red Hat sect which is the school that the Karmapa Lama belongs to.
And if anybody wants you to install a piece of distributed computing software that needs you to install Tibetan fonts and nine gigabytes of RAM on your computer, do be careful...
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
It's a grey area, which is why those who hack purely for the personal satisfaction, rather than for "good" or "bad" motives are called grey hats. :)
Re: (Score:2)
A good thing. A white hat hacker might break into a network out of curiosity, enrich his knowledge and then alarm the network operators of their problems and even help them with plugging those holes. Penetration testers are white hats too.
A black hat would tend to publicize or sell the vulnerabilities without notifying potential victims.
A cracker would destroy or alter files and generally wreak havoc.
Re: (Score:3, Informative)
White hats don't hack networks without permission, even if they plan to alert the network owner later. That is pure gray hat territory.
White hat hackers do pen tests, but only when given permission (or, more often, are hired to do so).
Re: (Score:2)
Someone throw me a bone, here.
Jimmy hat?
Re:White hat? (Score:5, Funny)
Don't forget "green hat." Those are hackers who shut down computers across the globe in order to reduce the world's carbon footprint.
Ah. It all becomes clear (Score:5, Insightful)
It wasn't that this guy was whacking other underground sites, it's that he also nailed the FBI's "sting" website. The FBI and him engaged in a turf war, because if there's one thing the government hates, it's stealing. It hates competition.
Catching Max Butler (Score:2, Interesting)
I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...
Re:Catching Max Butler (Score:4, Insightful)
I must be new here, because it's difficult for me to believe that you didn't RTFA!
He's in a prison in Pennsylvania playing D&D while awaiting his trial.
Re: (Score:2)
I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...
Have you ever heard of this guy? [fbi.gov]
Re: (Score:2)
Addendumg: RTFA, my bad. I took "made the feds determined to catch him" to mean they hadn't yet, but they have.
Rather interesting line at end of article... (Score:5, Interesting)
The USS cracked the Whole Disk Encryption of Max Butler.
Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?
No, I didn't think so either.
So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?
I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.
Re:Rather interesting line at end of article... (Score:5, Funny)
The USS cracked
Sounds like the worst name ever for a ship.
Re: (Score:2)
Re: (Score:2)
The USS cracked
Sounds like the worst name ever for a ship.
USS Cracked [cracked.com]? Doesn't seem to bad to me.
Re: (Score:3, Insightful)
Re:Rather interesting line at end of article... (Score:5, Insightful)
If the encryption isn't government-farm proof then it's kind of worthless as encryption.
Re: (Score:2)
There are other ways that they could have gotten the password. For example, they could
Re: (Score:3, Insightful)
Re:Rather interesting line at end of article... (Score:5, Insightful)
analysis of keyboard wear [...] might have assisted the effort greatly
No. It would not. It's pretty simple. How many times do you type your password vs. how many times do you type some other word? Try doing some computer simulations if you don't believe me. The data will be lost in noise.
The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary.
No. The point is to take advantage of math problems that are asymmetrically hard to solve.
The goal is to create the largest force multiplier you can. This is how crypto differs from regular security.
The perfect cipher would be simple enough for a human to compute readily on a single piece of paper while resisting the brute forcing efforts of a computer built using every atom on earth, clocked at one terahertz and running since the beginning of the universe. It's a issue of scale. The "force multiplier" effect avaible from crypto is greater than anything in the physical security world. Imagine instead that instead of working with of E = MC^2, you were working with E = C*2^M. See how it's different? The work required to brute force a key baloons very quickly.
Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.
No, actually that's not a certainty.
In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.
If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.
which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace.
BASED ON WHAT? Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources? Why not milliseconds? Why not millenia?
You have NO IDEA, what a reasonable time scale would be and you're just talking out your ass here.
I suppose some my consider me rude for point that out, but there are those of us who find people randomly making things up to support their argument to be rude.
Re:Rather interesting line at end of article... (Score:5, Interesting)
The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text [wikipedia.org] before any significant progress could be made on decrypting it, while Blowfish [wikipedia.org] has "no known way to break".
So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.
Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)
Re: (Score:2)
There's only a few algorithms used in WDE, and of those, only AES and CAST have had any chance to be altered by governments. In particular, Blowfish and Serpent are, according to quite a few people, very reliable.
I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.
At any rate, almost none of the current algorithms out there can be brute-forced, period. They're just too
Re: (Score:2)
Re: (Score:3, Insightful)
He was once an ally, but that is irrelevant because it was not done by the NSA.
"How'd that Vietnam war ever turn out?"
From a military perspective, we were winning prior to the pull-out. We left because of eroded support for the war among the American public.
"How are things in Iran these days?"
You are 1 for 3, things are bad in Iran. But, as with the key to Detroit, this was not an NSA action.
"No the US would never shortsightedly
Re:Rather interesting line at end of article... (Score:4, Interesting)
I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.
You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.
Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [nist.gov] [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)
Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.
Re: (Score:2)
It could also be that the gov't has farms built for the purpose of cracking encryption...
They do, it's called the National Security Agency. A whole department devoted to encryption/decryption.
Re: (Score:3, Insightful)
The main problem with encryption now is that you can't remember good enough keys anymore.
It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.
Fun with exponents (Score:5, Interesting)
If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.
Re: (Score:2)
Nope. Effective password alphabet is about 70 characters (26*2+10+punctuation).
You can also assume that passwords are unlikely to have 4 or more consecutive punctuation marks, contain parts of dictionary words, etc.
Re: (Score:2)
Re:Rather interesting line at end of article... (Score:4, Interesting)
That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).
Re: (Score:3, Interesting)
Nope, it's not. It's actually a horrible passphrase, since it contains only dictionary words.
Re: (Score:2)
if by "cracked" you mean "brute-forced his password" or maybe "brute-forced him until he gave up his password", then yeah, I believe you.
Ken Thompson [bell-labs.com] aside, I doubt there are purpose-built backdoors in any open source encryption project (commercial is another matter entirely).
holes that can be exploited, on the other hand, are probably a dime a dozen.
Re: (Score:2)
Re: (Score:2)
ok. I saw the NCIS post and I can't resist...
They usually don't show a lot of the so called "hacking" that McGee(computer geek) or Abbey(the hot goth forensic scientist) partake in on screen thus making them almost believable (not quite) that the agents can actually do what they say they are doing...that said, they blundered badly in one episode. I don't recall which but here's how it played out...
McGee was tasked w/ searching a suspects laptop for data and stated to Gibbs that the hard drive had been 100%
Re: (Score:2)
Re:Rather interesting line at end of article... (Score:4, Informative)
AES does not come from the NSA. "AES" stands for "Advanced Encryption Standard", and the algorithm selected, Rijndael, comes from two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted it to the AES selection process. All algorithms that took part were publicly evaluated for five years by the cryptography community at large, and Rijndael was selected pretty much by public acclaim.
Why didn't the FBI do the disruption? (Score:2)
The obvious question: why didn't the FBI do this rather than set-up a honeypot site? I understand the focus on gathering evidence, but it is interesting the disruption isn't a more important part of the law-enforcement toolkit.
Re: (Score:3, Insightful)
>
The obvious question: why didn't the FBI do this rather than set-up a honeypot site?
Police and prosecutors are rewarded based on the number of arrests and convictions, and not necessarily on reduction in crime?
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Maybe it has something to do with computer trespass laws? I'm not a lawyer, but from what I understand, the law enforcement community has to follow the rules. Often times those rules hamper them. Expensive defense lawyers are often focused on the procedures followed when their clients are arrested or investigated. Any anomolies in the procedure could be a get out of jail free card.
For example, I know a guy who got out of a DUI ticket after being stopped at a DUI checkpoint. The court order/warrant/what
icebreaker (Score:2)
Now operation DarkMarket turns out to be a Fed-run honeypot.
How hard could it be to make a dictionary of likely FBI operation names, or even an application to rank the probability of a domain name being based on operation names that have been used on TV in the past ?
Not exactly (Score:5, Interesting)
Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.
Re: (Score:2)
Obsession (Score:5, Insightful)
Re:Obsession (Score:4, Insightful)
So you mean it's like World of Warcraft? :-)
Here's the FBI's own press release... (Score:2, Informative)
New Technology--Same Old Story (Score:3, Insightful)
The criminal's accomplices shopped him. That, plus evidence of the public market that he created, was more than enough for a search warrant.
Once again . . . there is no honor among thieves. We should all be grateful for that.
I hope that the Feds launch that guy into the stratosphere.
not really... (Score:5, Insightful)
I think this dubious honor belongs to the US government.
Sigh. (Score:4, Interesting)
I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.
What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!
Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.
He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.
My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.
From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.
Have fun!
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
HTH - http://en.wikipedia.org/wiki/Tenderloin,_San_Francisco,_California [wikipedia.org]
Re:Very unfair image (Score:5, Insightful)