Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Internet

A Hacker's Audacious Plan To Rule the Underground 313

An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."
This discussion has been archived. No new comments can be posted.

A Hacker's Audacious Plan To Rule the Underground

Comments Filter:
  • My Ambition (Score:5, Funny)

    by Anthony_Cargile ( 1336739 ) on Monday January 05, 2009 @05:49PM (#26335723) Homepage
    Yeah, many years ago (in my teens) I had the ambition to be "the next bill gates", and now as I write small to medium websites and private applications from my couch, covered in empty red bull cans and small food bags, I think I managed pretty well!

  • "Former white hat"? (Score:5, Interesting)

    by EmbeddedJanitor ( 597831 ) on Monday January 05, 2009 @05:51PM (#26335753)
    Sounds like he was always a black hat but just didn't cause enough problems while he still had his training wheels on.
  • ...by hackorX, the true ruler of the hacker underground. You've been warned script kiddie hacker wannabes.

  • by Anonymous Coward on Monday January 05, 2009 @05:53PM (#26335779)
    Posting anonymously for obvious reasons.

    I went to school with Max Butler. He's driven by constant challenges. I knew Max as a friend and as such witnessed the same vitriol and hatred he put up with from others who did not understand him. Teachers often openly mocked him, especially in computer science courses.

    His escape from it all came from hacking. He noticed he had a particular knack for it. He'd get really engrossed, and it became sort of a downward spiral from there. If you know anyone like him, please do not ostracize him in his forming years. Imagine if he had been a solid, contributing member of society like timecop, or the millions of other good natured people that run trolling organizations that specialize in making fools out of idiots like yourself.
    • by macraig ( 621737 )

      You could be Max Butler himself. for all we know, trying to employ a little PR here.

      I'm just sayin'. Your key piece isn't very useful until we actually know that it's true.

    • by Burning1 ( 204959 ) on Monday January 05, 2009 @08:33PM (#26337587) Homepage

      There's a huge difference between criticism and ridicule. To be frank, most of us went through that kind of stuff growing up. Very few of us turned out anti-social.

    • by digitalhermit ( 113459 ) on Monday January 05, 2009 @09:28PM (#26338035) Homepage

      I went to school with Anonymous Coward. He's driven by shame. I knew AC as a friend and witnessed the same vitriol and hatred he put up with from others who did not understand him. Users often openly mocked him, especially after he posted comments about Apple Computer.

      His escape came from posting. He noticed he had a particular knack for it. He'd sometimes post a thousand times a day to Slashdot (just check the logs and you can verify this for yourself). If you know others like him (such as Anonymous Howard, Eponymous Dotard, Androgynous Blowhard), please do not euthanize him in his cromulent fears.

  • . . . to hang up his hat. Whatever the color.
  • Article? (Score:5, Insightful)

    by Anonymous Coward on Monday January 05, 2009 @05:55PM (#26335813)
    "Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

    This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".
    • Re:Article? (Score:5, Funny)

      by momerath2003 ( 606823 ) * on Monday January 05, 2009 @06:20PM (#26336157) Journal

      Wouldn't decimating them mean having to leave 90% of the logins?

    • Re: (Score:3, Insightful)

      by zappepcs ( 820751 )

      Well, no readership otherwise. For all my SO knows, I could be hacking the great Chinese firewall. She would not know otherwise and would not care. Trying to get Adobe flashplayer 10 64bit alphaOMGpre-release to work on Ubuntu looks exactly the same as hacking the Chinese Embassy's coke machine server to her if there is no narrative to let her know what is exactly happening.

    • Re:Article? (Score:5, Funny)

      by multisync ( 218450 ) * on Monday January 05, 2009 @06:31PM (#26336289) Journal

      "Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

      This seems to be written more like a work of fiction than an account of the hack.

      True, but I'll bet there were lots of cool graphics swirling around his head while he was doing it!

    • It's still more technically accurate than the average William Gibson novel...
    • Re:Article? (Score:4, Interesting)

      by dave562 ( 969951 ) on Monday January 05, 2009 @07:33PM (#26336979) Journal
      The article is a work of fiction because the actual details weren't available. The author states at the beginning that the details were recreated from court documents. Given that Poulsen himself is a hacker, it is pretty safe to assume that he guessed pretty closely on the details. There are only so many ways to bust into a web server, and SQL injection along with compromised passwords seems likely enough. As for what he did after he had access, what is so fictional about that? He dumped the data and dropped all of the tables. Ooooo, big stretch of imagination there. We're talking about a serious blend of fantasy and sci-fi right there.
  • Honest money (Score:4, Insightful)

    by Anonymous Coward on Monday January 05, 2009 @06:00PM (#26335889)

    The way I figure it all the effort that goes into making big money doing crime would be better used in the 'real' world.

    I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.

    Honest money allows me to sleep at night and at the end of this train ride, the books will be balanced and that man in the sky will do the accounting and even it all out.

    • by dave562 ( 969951 )
      The reality seems to be that the "job experience" gained as a member of a organized criminal enterprise doesn't look very good on a resume. You're right that the money is better, unless you're selling cocaine. In that case, the risk/reward equation is seriously out of wack, especially on a long enough time line.
  • White hat? (Score:2, Funny)

    by Anonymous Coward

    Just showing my ignorance here, but can someone give me a definition of what 'hat colors' mean? Red Hat I know (I guess), but White Hat? Black Hat? Blue Hat?

    Someone throw me a bone, here.

    • Re:White hat? (Score:4, Informative)

      by Anonymous Coward on Monday January 05, 2009 @06:18PM (#26336117)

      It comes from old Western movies. The "good guy" cowboys all wore white hats, and the "bad guys" wore black hats.

      • The Yellow Hat [wikipedia.org] sect of Tibetan Buddhism is the school that the Dalai Lama and Panchen Lama belong to, as opposed to the Nyingma or Red Hat sect which is the school that the Karmapa Lama belongs to.

        And if anybody wants you to install a piece of distributed computing software that needs you to install Tibetan fonts and nine gigabytes of RAM on your computer, do be careful...

    • Re: (Score:2, Informative)

      by karstdiver ( 541054 )
      I think the reference was simply: white hat==good guy black hat==bad guy. See also the "Six Hats" method for thinking (but I'm not sure it applies in this case): http://members.optusnet.com.au/~charles57/Creative/Techniques/sixhats.htm [optusnet.com.au]
    • People who hack for "good" reasons are white hat. People who do it for malicious or immoral reasons are black hat.
      • So is curiosity a good thing or a bad thing?
        • Re: (Score:3, Informative)

          by Xtifr ( 1323 )

          It's a grey area, which is why those who hack purely for the personal satisfaction, rather than for "good" or "bad" motives are called grey hats. :)

        • A good thing. A white hat hacker might break into a network out of curiosity, enrich his knowledge and then alarm the network operators of their problems and even help them with plugging those holes. Penetration testers are white hats too.
          A black hat would tend to publicize or sell the vulnerabilities without notifying potential victims.
          A cracker would destroy or alter files and generally wreak havoc.

          • Re: (Score:3, Informative)

            by Anonymous Coward

            White hats don't hack networks without permission, even if they plan to alert the network owner later. That is pure gray hat territory.

            White hat hackers do pen tests, but only when given permission (or, more often, are hired to do so).

    • Someone throw me a bone, here.

      Jimmy hat?

    • by TheoMurpse ( 729043 ) on Monday January 05, 2009 @07:22PM (#26336849) Homepage

      Don't forget "green hat." Those are hackers who shut down computers across the globe in order to reduce the world's carbon footprint.

  • by girlintraining ( 1395911 ) on Monday January 05, 2009 @06:12PM (#26336051)

    It wasn't that this guy was whacking other underground sites, it's that he also nailed the FBI's "sting" website. The FBI and him engaged in a turf war, because if there's one thing the government hates, it's stealing. It hates competition.

  • Catching Max Butler (Score:2, Interesting)

    by Arancaytar ( 966377 )

    I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...

  • by GPLDAN ( 732269 ) on Monday January 05, 2009 @06:25PM (#26336215)
    Months later, Aragon's lawyer gave him some bad news. The Secret Service had cracked Butler's crypto and knew more about the hacker than Aragon didâ"which meant Aragon would probably never be offered a deal, even if he wanted one.

    The USS cracked the Whole Disk Encryption of Max Butler.

    Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?

    No, I didn't think so either.

    So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?

    I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.
    • by Schemat1c ( 464768 ) on Monday January 05, 2009 @06:31PM (#26336293) Homepage

      The USS cracked

      Sounds like the worst name ever for a ship.

    • Re: (Score:3, Insightful)

      by snowraver1 ( 1052510 )
      It could also be that the gov't has farms built for the purpose of cracking encryption. This guy was clealy high on their list, so it was worth the CPU time to crack. Just a guess.
      • by Raenex ( 947668 ) on Monday January 05, 2009 @07:01PM (#26336637)

        If the encryption isn't government-farm proof then it's kind of worthless as encryption.

        • The probably just brute forced the key. It probably required a significant amount of time -- the article does not actually give timescales here, and Aragon's trial could have taken nearly two years, considering the high level operation that we are talking about here. With that much time, and the priority of the case, I would not doubt that the government could have devoted enough CPU time to brute force the password.

          There are other ways that they could have gotten the password. For example, they could
        • Re: (Score:3, Insightful)

          by CodeBuster ( 516420 )
          Not at all. The final value of this carders hoard of unused dumps was estimated to be in the range of 500 million dollars (at least according to the article) and the USSS was involved along with the FBI in an attempt to shut down the largest consolidated carder site ever assembled by one person. As other posters have pointed out, analysis of keyboard wear (assuming that Mr. Butler didn't have the foresight to regularly change his physical keyboard) might have assisted the effort greatly (yielding a success
          • by theLOUDroom ( 556455 ) on Monday January 05, 2009 @09:33PM (#26338071)
            What a load of hogwash!

            analysis of keyboard wear [...] might have assisted the effort greatly

            No. It would not. It's pretty simple. How many times do you type your password vs. how many times do you type some other word? Try doing some computer simulations if you don't believe me. The data will be lost in noise.

            The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary.

            No. The point is to take advantage of math problems that are asymmetrically hard to solve.
            The goal is to create the largest force multiplier you can. This is how crypto differs from regular security.

            The perfect cipher would be simple enough for a human to compute readily on a single piece of paper while resisting the brute forcing efforts of a computer built using every atom on earth, clocked at one terahertz and running since the beginning of the universe. It's a issue of scale. The "force multiplier" effect avaible from crypto is greater than anything in the physical security world. Imagine instead that instead of working with of E = MC^2, you were working with E = C*2^M. See how it's different? The work required to brute force a key baloons very quickly.

            Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.

            No, actually that's not a certainty.
            In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.
            If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.

            which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace.

            BASED ON WHAT? Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources? Why not milliseconds? Why not millenia?

            You have NO IDEA, what a reasonable time scale would be and you're just talking out your ass here.

            I suppose some my consider me rude for point that out, but there are those of us who find people randomly making things up to support their argument to be rude.
      • by Anonymous Coward on Monday January 05, 2009 @07:12PM (#26336747)

        The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text [wikipedia.org] before any significant progress could be made on decrypting it, while Blowfish [wikipedia.org] has "no known way to break".
        So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.

        Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)

      • There's only a few algorithms used in WDE, and of those, only AES and CAST have had any chance to be altered by governments. In particular, Blowfish and Serpent are, according to quite a few people, very reliable.

        I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

        At any rate, almost none of the current algorithms out there can be brute-forced, period. They're just too

        • It is very unlikely that the US government would deliberately sabotage the encryption standard for the entire country. It is asking for trouble to do so, since foreign powers are known to be engaged in hacking campaigns against US businesses and agencies, and back doors could be discovered by those powers. I thought we learned this lesson with DES, when the government demanded different S-boxes without telling anyone why, and the S-boxes they chose turned out to make the algorithm more resilient to differ
        • by Bender0x7D1 ( 536254 ) on Monday January 05, 2009 @08:46PM (#26337703)

          I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

          You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.

          Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [nist.gov] [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)

          Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.

      • by rilian4 ( 591569 )

        It could also be that the gov't has farms built for the purpose of cracking encryption...

        They do, it's called the National Security Agency. A whole department devoted to encryption/decryption.

    • Re: (Score:3, Insightful)

      by Cyberax ( 705495 )

      The main problem with encryption now is that you can't remember good enough keys anymore.

      It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

      • Fun with exponents (Score:5, Interesting)

        by Chmcginn ( 201645 ) on Monday January 05, 2009 @07:11PM (#26336735) Journal

        It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

        If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.

        • by Cyberax ( 705495 )

          Nope. Effective password alphabet is about 70 characters (26*2+10+punctuation).

          You can also assume that passwords are unlikely to have 4 or more consecutive punctuation marks, contain parts of dictionary words, etc.

        • Hi! I am a government agency hell bent on figuring out your password. Where do I begin?
          1. Go for it, throwing all my CPU time at and trying everything possible
          2. Take your keyboard and analyze the wear on each key, so I can tell which letters you are most likely to use and use that to tip the odds in my favor.
          3. Review your entire life, looking for clues about how you might try to pick passwords.
          4. Some combination of (2) and (3), plus other techniques that would allow me to shave years off of the work of brute forc
      • by StikyPad ( 445176 ) on Monday January 05, 2009 @08:04PM (#26337325) Homepage

        That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).

        • Re: (Score:3, Interesting)

          by Cyberax ( 705495 )

          Nope, it's not. It's actually a horrible passphrase, since it contains only dictionary words.

    • by darkuncle ( 4925 )

      if by "cracked" you mean "brute-forced his password" or maybe "brute-forced him until he gave up his password", then yeah, I believe you.

      Ken Thompson [bell-labs.com] aside, I doubt there are purpose-built backdoors in any open source encryption project (commercial is another matter entirely).

      holes that can be exploited, on the other hand, are probably a dime a dozen.

  • Most illegal online loot was fenced through four so-called carder sites--marketplaces for online criminals to buy and sell credit card numbers, Social Security numbers, and other purloined data. One by one, Butler took them down.

    The obvious question: why didn't the FBI do this rather than set-up a honeypot site? I understand the focus on gathering evidence, but it is interesting the disruption isn't a more important part of the law-enforcement toolkit.

    • Re: (Score:3, Insightful)

      by iluvcapra ( 782887 )


      The obvious question: why didn't the FBI do this rather than set-up a honeypot site?

      Police and prosecutors are rewarded based on the number of arrests and convictions, and not necessarily on reduction in crime?

    • Re: (Score:3, Informative)

      by wjh31 ( 1372867 )
      would you like to give them the legal right to disrupt any website they felt fit before they had enough evidence to proove wrong doing. If there is wrong doing then gather evidence and prosecute and shut down for good, if there isnt wrong doing, leave it, dont cause disruption just because someone has a hunch, or whatever other motives any paranoids/conspiricists/etc would like to add
    • They are probably not allowed to do it, by law. Until they can prove that a computer is being used for illegal purposes, hacking their way into it and messing with the data stored on it is more likely to get the criminals off "on a technicality" than get them locked away for life.
    • by dave562 ( 969951 )

      Maybe it has something to do with computer trespass laws? I'm not a lawyer, but from what I understand, the law enforcement community has to follow the rules. Often times those rules hamper them. Expensive defense lawyers are often focused on the procedures followed when their clients are arrested or investigated. Any anomolies in the procedure could be a get out of jail free card.

      For example, I know a guy who got out of a DUI ticket after being stopped at a DUI checkpoint. The court order/warrant/what

  • recently operation icebreaker brought down some local meth dealers. I bet the same name had been used for similar stings hundreds of times.

    Now operation DarkMarket turns out to be a Fed-run honeypot.

    How hard could it be to make a dictionary of likely FBI operation names, or even an application to rank the probability of a domain name being based on operation names that have been used on TV in the past ?
    • Not exactly (Score:5, Interesting)

      by Chmcginn ( 201645 ) on Monday January 05, 2009 @07:01PM (#26336635) Journal

      Now operation DarkMarket turns out to be a Fed-run honeypot.

      Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.

    • by wjh31 ( 1372867 )
      dark market was the name of the sting website, not neccecerily the operation, how likely are you to hear the name of an operation at a time such that you can know its something related to what you are doing, where would a meth dealer have herd someone say 'operation icebreaker'?
  • Obsession (Score:5, Insightful)

    by BountyX ( 1227176 ) on Monday January 05, 2009 @07:16PM (#26336791)
    Hacking is an obsession and an addiction. It can easily take over your life, especially if you are good at it. Finding your next target is like getting in your next fix. It offers the ultimate escape, diversion and self-esteem. In a sense, it is a power trip. The kind of rush you expirience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined. It adds a new dimension to an otherwise mundane and seemingly predictable reality. Some perspective ;)
  • Because I don't trust wired.com much... I did a quick search for data on Max Butler from the source: The Department of Justice's own press release on this is dated 9/11/2007. [fbi.gov]
  • by MarkvW ( 1037596 ) on Monday January 05, 2009 @08:14PM (#26337427)

    The criminal's accomplices shopped him. That, plus evidence of the public market that he created, was more than enough for a search warrant.

    Once again . . . there is no honor among thieves. We should all be grateful for that.

    I hope that the Feds launch that guy into the stratosphere.

  • not really... (Score:5, Insightful)

    by darjen ( 879890 ) on Monday January 05, 2009 @09:10PM (#26337905)

    the largest crime forum in the world

    I think this dubious honor belongs to the US government.

  • Sigh. (Score:4, Interesting)

    by Anonymous Coward on Tuesday January 06, 2009 @02:11AM (#26339817)

    I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.

    What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!

    Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.

    He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.

    My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.

    From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.

    Have fun!

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.