Hacker Sentenced To Longest US Sentence Yet

Iphtashu Fitz writes "The Associated Press is reporting that a Michigan man has been sentenced to 9 years in prison for his involvement in hacking into the corporate systems of Lowe's Home Improvement and attempting to steal customer credit card information. The sentence far exceeds the 5 1/2 years that hacker Kevin Mitnick spent behind bars. Two others are awaiting sentencing, including one of the first people to ever be convicted of wardriving. Prosecutors said the three men tapped into the wireless network of a Lowe's store in Southfield, Mich., used that connection to enter the chain's central computer system in North Wilkesboro, N.C., and installed a program to capture credit card information. No data was actually collected however."

Re:Good

[msmercenary]

Three down, thousands of skript kiddies to go.

Deserves what he got

[paanta]

Not mentioned yet, but he _is_ a repeat offender. He brought down a local bbs--insert obligatory plug for arbornet.org!--back in 2000 and was the first charged with hacking under michigan law. http://www.merit.edu/mail.archives/netsec/2000-09/ msg00009.html I dunno, but you'd think he'd have wised up by now.

Kevin didn't get out in three

[Safety+Cap]

And you're confused. He was essentially held without trial or a bail hearing for 4 1/2 years.

Nomenclature (WAS:Great News)

[Lead+Butthead]

Crackers, people. Not Hackers.

Some facts on this case

[howardjp]

Salcedo was arrested in the last month of a 36-month probation sentence after he broke into Arbornet and many other sites in 2000. The original Slashdot story is here.

Re:This is no different than embezzlement

[plover]

No, it was hacking.

They used the store's 802.11b network to access a computer on the inside. They studied that computer, found a program called "tcpauth", and wrote a program to sniff data from it, some of which was credit card information. That's real hacking.

Problem for these guys is that they were attempting to sniff data that could easily be used in the commission of theft. Had they tried to sniff the price database instead (perhaps to post to Froogle or whatever,) they probably would have ended up with a lesser sentence, because it would have been much more debatable if their intent was theft, fraud, or simple hacking. But going after credit card data is "special", so these guys get to spend some "special" time with some new "special" friends.

Mitnick wasn't sentanced to 5 1/2 years.

[nsanders]

Mitnick was held with out trial for 5 years and eventually was let go for "time served". That's why there was such an uprising behind him. Dispite his crimes, he was serverly miss treated.

Try researching the story before posting it!

Who gets their news from a mickey mouse outfit like ABC anyway? If you're going to post some clueless banter about attempted credit card fraud, at least link to an article (or thread) with some relevant information about the case instead of an uninformed soundbite. You could start with one of the following:

http://reviews-zdnet.com.com/AnchorDesk/4520-7297_ 16-5511088.html

http://www.theregister.co.uk/2003/11/22/michigan_w ifi_hackers_try/

http://www.securityfocus.com/news/7438

http://www.securityfocus.com/news/8835

http://www.netstumbler.org/showthread.php?t=11115

Some of the more interesting quotes for those too lazy to click on the links:

"In 2000, as a juvenile, Salcedo was one of the first to be charged under Michigan's state computer crime law, for allegedly hacking a local ISP."

"It was six months later - Botbyl allegedly admitted to agents - that Botbyl and his friend Salcedo hatched a plan to use the network to steal credit card numbers from the hardware chain"

"At some point in their wardriving experience, Timmins and Botbyl came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen of Security Focus that what he did next was technically illegal: he used the Lowe's network to check his e-mail. When he realized it was Lowe's private network, however, he says, he disconnected."

"That in itself might have been the end of the story. However, Lowe's became aware of the breach and contacted the FBI, who, after its investigation, charged Timmins with one count of unauthorized computer access. And that by itself would have been a significant story: Timmins's plea has been reported as the first instance of a wardriving conviction. I think the claim is an exaggeration, however. The charge would have been the same had he used a wired connection."

"But here's where the story gets interesting. Several months later, Botbyl returned to the Southfield, Michigan, Lowe's with a new friend, Brian Salcedo, now 21. Salcedo, it turned out, was in the final weeks of a three-year probation for an earlier computer crime."

"According to the indictment, the hackers used the wireless network to route through Lowe's corporate data center in North Carolina and connect to the local networks at stores around the country. At two of the stores - in Long Beach, California and Gainseville, Florida - they modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later."

"Brian Salcedo, 21, faces an a unusually harsh 12 to 15 year prison term under federal sentencing guidelines, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 million."

"As for how it was computed here's one probable way: Maximum number of cards in the system at the time they could have captured, multiplied times the maximum credit limit on each. (So say Lowe's does an average of 2500 credit cards transactions nationally in a night, and each has a $1000 Credit Limit. That is $2,500,000 right there.)"

"They were not able to access nationwide credit card files or get into corporate systems," says Lowe's spokesperson Gina Balaya. "They did access six credit card transactions from one store."

"My initial reaction when I heard the charges was one of skepticism," says Karl Mozurkewich, founder of the Michigan software company Utropicmedia, and a member of the group. "Eighty percent of the people in the 2600 group in Michigan are more the c

Re:This isn't like Mitnick, and prison doesn't wor

[T-Ranger]

Marshall was released in 1983, after a (new) witness came forward. This is about 10 years before DNA profiling was even thought about, 15 years before it became useful/accurate/cheap. In the inquiry into the actions of the police and crown prosecutors, it became clear that his case was not an accident, with the parties all acting in good faith. I don't think that they had any specific evidence to the contrary, but circumstantial evidence, combined with him being a Native American (to be fair, also well known to the police) was all the investigation they needed.

Excessive in comparison to Acxiom hacker...

[skweegee]

http://www.usdoj.gov/usao/ohs/Press/12-18-03.htm

The total cost to Acxiom of Baas's intrusion and theft of data is more than $5.8 million. Baas faces a maximum penalty of five years in prison, a fine of $250,000 or twice the amount of gain or loss, and three years of supervised release.

Considering Dan actually did steal the data and only can get a maximum of 5 years, this seems excessive for intent.

More information

[Kizzle]

This episode of the phreaking internet radio show Default Radio covers this when it first started several months ago. The co-host on this episode knew these people so it makes for a good insider's point of view.

Default Radio episode 23 part 1
Fast forward to 22:30