A Hacker's Audacious Plan To Rule the Underground

An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."

My Ambition

[Anthony_Cargile]

Yeah, many years ago (in my teens) I had the ambition to be "the next bill gates", and now as I write small to medium websites and private applications from my couch, covered in empty red bull cans and small food bags, I think I managed pretty well!

</humor>

Re:My Ambition

It's just CowboyNeal messing wiCARRIER LOST.

Re:My Ambition

So you wanted to be the reason millions of computers crash on a daily basis? Why didn't you just write a virus or something?

Re:My Ambition

[multisync]

I've noticed a few of these "What's up with teh red stories on teh front page" comments lately. Are the posters truly unaware of the significance of the red border, or are these posts a variation on the Obama turd trolls or something? I've seen similar comments posted in other threads. Some - like this one - even go so far as to post a link to a screen shot, to "prove" that they really saw a story in red!!!

Mind you, I had the same "am I losing my mind?" reaction when the user page was changed without warning or explanation a month or so ago. My troll radar just goes a little crazy when someone questions something only a logged-in subscriber would see but posts a question about it anonymously.

Assuming you're not trolling, subscribers get to preview summaries before they are posted to the front page. The previews are bordered in red, so you know they have not yet gone live.

Re:My Ambition

[Anthony_Cargile]

Bill gates makes money off of his virus. I guess I could have done the same with a little marketing and a commercial with an ape convincing you to buy it.

Re:My Ambition

[rk]

Assuming you're not trolling, subscribers get to preview summaries before they are posted to the front page. The previews are bordered in red, so you know they have not yet gone live.

This is true, but I'm no longer a subscriber, and I've noticed the red border myself a few times. It's enough to make me check if anyone bought me a gift subscription and they haven't. My semi-educated guess is there's some non-atomic publish update occurring, where the article is published, but the "Mysterious Future!" theming is not yet updated.

Re:My Ambition

I am not a subscriber, yet have seen many stories in red.

Re:My Ambition

[multisync]

... I'm no longer a subscriber, and I've noticed the red border myself a few times

Interesting. Being a subscriber, nothing looked out of place to me, and there seems to be a lot of comments like the one I replied to lately. After posting, I noticed this one in an earlier story.

My semi-educated guess is there's some non-atomic publish update occurring, where the article is published, but the "Mysterious Future!" theming is not yet updated.

Good point. Never attribute to malice anything that can be explained by buggy slashcode ;-)

Re:My Ambition

rk posted above that he experiences the same thing, despite not being a subscriber. Just out of curiosity, do you see it regardless of whether or not you are logged in?

Re:My Ambition

just fyi i've seen them (rarely) but have never subscribed (paid) to slashdot in my life. (i do have an account, sometimes log in, sometimes dont). so you might want to revisit your theory.

Re:My Ambition

[atraintocry]

AFAIK that was an internal thing they did as a joke. Still great though.

Re:My Ambition

[idontgno]

buggy slashcode

+1 Redundant

Re:My Ambition

[AceofSpades19]

I have seen borders in red, and I don't believe I'm a subscriber

Re:My Ambition

Have all the posters been Anonymous Cowards? I have never registered for Slashdot and I noticed a red bordered story for the first time a little while ago on the front page. If only subscribers get to preview summaries before they are posted, something is up.

Re:My Ambition

[miruku]

i can't be bothered keeping up with the changelog or whatever of the more recent slashdot changes, but 95% of stories on the front page have the red border on the left so i've been assuming these are the 'hot' stories that have come through from the firehose.

(this is the border being refered to, yes?)

Re:My Ambition

[Nathrael]

It's NO CARRIER, you insensitive clod!

Re:My Ambition

oh god, your sig... did you just learn C this year? fuck you need to change that

Re:My Ambition

[Anthony_Cargile]

I get sick of explaining this, but the sig (which could not completely fit because of /.) is supposed to infinitely loop like that. I'm fully aware that getch() is only found in DOS's conio.h (and the ncurses lib), but even The C Programming Language references it, without providing the code for it (or even a header inclusion, for that matter). The full code snippet (forgive me, mods) is this:

void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key

And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.

Now can we move on? (And if thats you, peter, then you obviously are new here).

Re:My Ambition

[Plutonite]

That must be because you're The One, and you are here to save us. Talk you the Oracle in the park - she might tell you what you need to know.

Re:My Ambition

I read slashdot without an account (I don't usually bother posting any comments) yet a few times the past few days I have seen news stories on the front page that have initially got a red border.

So if someone from the coding site of slashdot is reading this you should probably look into it.

Re:My Ambition

[multisync]

Here's a thread from yesterday that has a lot of posts about it. Logged in non-subscribers and ACs report seeing stories with red borders, so either everyone has been granted access to stories from the mysterious future or something's broken (borken???). Taco's journal may yield some clues, but I'm cooking dinner right now.

Re:My Ambition

95% of stories on the front page have the red border on the left

I haven't seen that. At the same time?

My page is all green, except for stories from the mysterious future, which - apparently - everyone sees now. Mind you, I'm using the old comment system and have everything pretty vanilla. There may be UI tweeks I'm unaware of.

Sorry, this should probably be in a journal entry. It would be nice if they would post stories on changes like this and the user pages so we could

1. discuss them and
2. understand wtf is going on.

/OT rant

Re:My Ambition

[AceofSpades19]

Do I take the red pill, or the blue pill?

Re:My Ambition

[Tubal-Cain]

Purple.

Re:My Ambition

Hey, I saw stories in red too and I'm not a subscriber. Does this make me The Second ?

Re:My Ambition

[Plutonite]

Do I take the red pill, or the blue pill?

I said the Oracle in the park, not the dude replying to your post. Jeeze. Some savior you are.

On topic: I actually recommend reading the fascinating article, which sounds like it was taken right out of a B movie plot. Lots of criminals and informers and the same mistakes being repeated over and over again. What I really want to know, however, is why they weren't able to track him down as soon as he set up this new card-exchange website. I mean, the whole article seems to be focused on the idea of the FBI tracing him through others who got caught and interrogated and through the informers who infiltrated the business, but I couldn't understand why somebody with servers in his apartment in San Fran can't be tracked down directly. Earlier the article mentions he used evasion techniques like doing the actual hacking/cracking from hotel rooms where he sniped wifis (I thought I was the only one who did this while in college!) but later the dude sets up his own freakin website. Where exactly is the 'mystery'? They shuttered other websites and made arrests, why not him?

Re:My Ambition

[Jeoh]

Blue pill? Mine was green.

Re:My Ambition

[halcyon1234]

I get sick of explaining this, but the sig (which could not completely fit because of /.) ... void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key

Just a note: The sig char limit seems to have been increased to 120. I don't know when that happened, but if you go to Help & Preferences, General, scroll down to Sig and click the [?], it says 120.

An upgrade like that, I don't mind. As for the userpage, it's still ruined one of my favorite parts of Slashdot, and I'm fucking bitter about it

Re:My Ambition

[Kaz+Kylheku]

Any-key-humor was slightly funny twenty years ago when Homer Simpson couldn't find the Any key.

``Press any key'' unambiguously means that any keyboard input is acceptable.

The real point of the humor is that users (who are native English speakers) get so acustomed to grammatically-gutted error messages which lack proper capitalization, punctuation and the use of articles like "a" and "the", that they no longer parse ``press any key'' in the obvious way. It's a computer message so there must be article missing, right? The user has come to believe that the computer is a Russian immigrant.

The lesson from Any Key humor is that text presented to the user should be recognized as grammatic by a native speaker of the user interface language in which it is written, and it should follow the proper orthographic conventions used in the written version of that language.

A prank program that doesn't allow the user to continue because he hasn't pressed the nonexistent Any key is not funny. The victim won't get the joke; it just looks like something has frozen, which is indistinguishable from routine behavior of a computer running DOS and Windows.

This may be slightly better:

    unsigned int i = 0;

    for (;;i++) {
        getch(); /* nonportable character-at-a-time input */
        switch (i) {
        case 5:
            printf("please, i asking, to press any key!\n");
            break;
        case 8:
            printf("!!?? it is still not any key, what now you did!\n");
            break;
        case 10:
            printf("No no no! user to find ... any ... key ... and just to press!\n");
            break;
        case 15:
            printf("it is in afghanistan keypad on standard soviet keyboard.\n");
            break;
        case 20:
            printf("will not continue until any key. understand? discussion end.\n");
            break;
        }
    }

"Former white hat"?

[EmbeddedJanitor]

Sounds like he was always a black hat but just didn't cause enough problems while he still had his training wheels on.

He was used

[sammyo]

...by hackorX, the true ruler of the hacker underground. You've been warned script kiddie hacker wannabes.

Re:He was used

[Amazing+Quantum+Man]

Isn't hackorX really Max's long-lost brother Rex Hackor, in disguise?

Re:He was used

Parent comment is awesome.

Re:He was used

[rts008]

Kudos for the Speed Racer reference, perfectly timed and exploited.

What I want to know is:
now that he's in jail, who gets the chimp? (forget the kid and Trixie-they are just annoying)

Re:He was used

Parent comment is awesome.

Re:He was used

No...Parent comment is awesome.

The article leaves out a key piece

Posting anonymously for obvious reasons.

I went to school with Max Butler. He's driven by constant challenges. I knew Max as a friend and as such witnessed the same vitriol and hatred he put up with from others who did not understand him. Teachers often openly mocked him, especially in computer science courses.

His escape from it all came from hacking. He noticed he had a particular knack for it. He'd get really engrossed, and it became sort of a downward spiral from there. If you know anyone like him, please do not ostracize him in his forming years. Imagine if he had been a solid, contributing member of society like timecop, or the millions of other good natured people that run trolling organizations that specialize in making fools out of idiots like yourself.

Re:The article leaves out a key piece

[macraig]

You could be Max Butler himself. for all we know, trying to employ a little PR here.

I'm just sayin'. Your key piece isn't very useful until we actually know that it's true.

Re:The article leaves out a key piece

[Burning1]

There's a huge difference between criticism and ridicule. To be frank, most of us went through that kind of stuff growing up. Very few of us turned out anti-social.

Re:The article leaves out a key piece

[digitalhermit]

I went to school with Anonymous Coward. He's driven by shame. I knew AC as a friend and witnessed the same vitriol and hatred he put up with from others who did not understand him. Users often openly mocked him, especially after he posted comments about Apple Computer.

His escape came from posting. He noticed he had a particular knack for it. He'd sometimes post a thousand times a day to Slashdot (just check the logs and you can verify this for yourself). If you know others like him (such as Anonymous Howard, Eponymous Dotard, Androgynous Blowhard), please do not euthanize him in his cromulent fears.

Re:The article leaves out a key piece

[Galactic+Dominator]

I don't condone what this what person did. The way he treated others around him and the apparent arrogance he had to impose his wants with disregard for anyone else's well being is cause for punishment. It's equally scary to see a person claim they've walked a mile in every troubled person's shoes. Sure, we've all had tough times, especially in childhood. Does that give me the moral high ground to pass judgment on every person that's infringed on the rights of others? I don't actually see much difference between this guy's arrogance and your own. Perhaps there is one in behavior...

Re:The article leaves out a key piece

[mschoolbus]

go back upstairs and turn the light off

Re:The article leaves out a key piece

[FishAdmin]

To be frank,

Darn it, it's MY turn to be Frank tonight! It's your turn to be Eva!

Re:The article leaves out a key piece

[hesaigo999ca]

I am very honored to have passed a few good "teachers" not only in life, but especially in computing. I am a software developer, and tend to think that my main advantage was a great teacher....he had the patience unparalleled by others. He also had a teaching style that made anyone learn what he taught. He knew how to read his student's learning style and adapt his teaching style accordingly.

He went on to bigger things, but always gave me the want to better myself and also to better my comp skills. Knowing so many things about computers is a certain responsibility, like driving a car or airplane, they can be used to create major damage in society, whether you fly into a tower, crash into another car, or wipe someone's credit out....it can be viewed as the same responsibility.

The best thing to do is to try and talk to "these" people as they are special, as I was, only need a few good triggers to spawn a new better , more evolved genius that does see the rights and wrongs of society and life in general.

He may have been misguided, but still is responsible for his actions. Just like the man who molests a kid, because his father before him did...makes you understand why, but not accept it as ok.
He does some time, then comes back into a community where he can offer his consulting services to those who need it.

Re:The article leaves out a key piece

I'm glad you can see my good side.

I guess it's time . . .

[catbertscousin]

. . . to hang up his hat. Whatever the color.

Article?

"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".

Re:Article?

[momerath2003]

Wouldn't decimating them mean having to leave 90% of the logins?

Re:Article?

"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match." This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".

Yeah, Wired is more entertainment than facts. I guess I'm just thankful we're not linking to yet another top ten somethings of 2008 from them. Talk about soft 'journalism' ...

Re:Article?

[zappepcs]

Well, no readership otherwise. For all my SO knows, I could be hacking the great Chinese firewall. She would not know otherwise and would not care. Trying to get Adobe flashplayer 10 64bit alphaOMGpre-release to work on Ubuntu looks exactly the same as hacking the Chinese Embassy's coke machine server to her if there is no narrative to let her know what is exactly happening.

Re:Article?

[77Punker]

Yeah, but just one man alone was able to take out 10% with just a few keystrokes! Such horrific power! Which of the remaining 90% will be next?

After he had access, that is. Yeah, this would be written better if it simply said:
"...he was able to take control of the computers. With said control, the computers did everything he told them to do including delete stuff."

Re:Article?

[multisync]

"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

This seems to be written more like a work of fiction than an account of the hack.

True, but I'll bet there were lots of cool graphics swirling around his head while he was doing it!

Re:Article?

[iluvcapra]

It's still more technically accurate than the average William Gibson novel...

Re:Article?

[TheoMurpse]

Yes, just as "homophobe" only means "afraid of that which is the same as them," "you" is only the polite form of indicating the addressee ("ye" being the casual form), "villa" only means "farm," "awful" only means "deserving of awe," and "girl" only means "young child of either sex,".

Here's a tip: words change meaning.

Re:Article?

Yeah, Wired is more entertainment than facts. I guess I'm just thankful we're not linking to yet another top ten somethings of 2008 from them. Talk about soft 'journalism' ...

Said it before and I'll say it again. Wired is a pretentious, bloated business and consumerist lifestyle magazine. It effectively masquerades as a science and technology publication for those who similarly like to pretend (and probably believe) that they are into those things; when in truth they're not much into science at all, are only really interested in the fetishisation of cutting-edge technology and appropriate both as a lifestyle and fashion accessory.

Re:Article?

[dave562]

The article is a work of fiction because the actual details weren't available. The author states at the beginning that the details were recreated from court documents. Given that Poulsen himself is a hacker, it is pretty safe to assume that he guessed pretty closely on the details. There are only so many ways to bust into a web server, and SQL injection along with compromised passwords seems likely enough. As for what he did after he had access, what is so fictional about that? He dumped the data and dropped all of the tables. Ooooo, big stretch of imagination there. We're talking about a serious blend of fantasy and sci-fi right there.

Re:Article?

[witherstaff]

But at least Gibson's works are labeled under Fiction.

Re:Article?

[Drakonik]

I wish I had mod points. The people that pull the decimate line piss me off so incredibly much.

Re:Article?

Yes, just as "homophobe" only means "afraid of that which is the same as them,"

Well there have been indications that some of the most rabid homophobes have been either closet homosexuals, or people denying their own homosexual urges for religious or societal reasons. So that might not be as inaccurate as you think.

Re:Article?

[Hecatonchires]

So true. I'm "good with computers". That doesn't mean I'm a hacker.

Re:Article?

[korean.ian]

I wonder who did the soundtrack.

Re:Article?

[oni]

I notice this a lot. Journalists can't take the time to learn about technology, and it shows in their writing. I often wonder if doctors feel the same way when watching Dr. shows on TV.

Re:Article?

[momerath2003]

The internet is serious business.

Also,
http://qwantz.com/archive/001377.html

Re:Article?

[oasisbob]

Forget Doctors, even designers and typographers care about inaccuracies in popular media.

Check out this article about anachronistic fonts in movies.

People are weird: we seem to care about just about everything.

Re:Article?

Remember: http://catb.org/esr/graphics/esr001.jpg

Re:Article?

[duanemc]

Nono, that only happens when you hack a Gibson.

Re:Article?

..."girl" only means "young child of either sex,"....

Michael Jackson is this another of your alter egos?!?

Re:Article?

[harry666t]

"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

SELECT login, password, email FROM users;

DROP TABLE users;

-- EXCITING!

Re:Article?

[clam666]

He should have been more careful sucking out that content.

There could have been some teenagers in there and made it statuatory.

Re:Article?

[elrous0]

And he lived in a world where a computer geek can hook up with Angelina Jolie.

Re:Article?

[FishAdmin]

I was with you right up to this point:

"awful" only means "deserving of awe,"

Now I have to be an etymology Nazi, and point some things out: When awful first came into our language (approx. 885AD, attributed to Alfred the Great), awe was an Anglo-Saxon word meaning "fear, dread, terror" (Oxford English Dictionary). At that point, awful DID mean "full of awe", but in the sense of "full of fear; full of dread".

It was much later (16th Century) that the word awesome came into being, and the word awe had changed to mean "dread mingled with veneration; reverential or respectful fear", mostly due to it's association with the God of the Bible.

So, you were correct in words changing meaning, but it was the word awe that had evolved, not the actual word awful.

/Nazi

Re:Article?

Let's just surround the earth with giant quotation marks. "This" "way" "we" "won't" "have" "to" "acknowledge" "any" "objective" "reality".

Re:Article?

[TheoMurpse]

That's terribly fascinating! However, the word "awful" now doesn't only mean "full of fear," either. It is most often used today to mean "exceptionally bad."

Thus, my original point still stands. However, I am a bit older and a bit wiser--the "wiser" is thanks to you.

Re:Article?

Maybe it wasn't him at all. Maybe little Bobby tables just wanted to join the forum.

Doofus Maximus

The first rule of hack club is you don't talk about hack club.

Hope he has fun in "Federal pound me in the ass" prison.

Re:Doofus Maximus

[GOMF]

they showed him the real definition of a "Back door" entry method !!!!!! -_~

Re:Doofus Maximus

[JCSoRocks]

No conjugal visits?

Re:Doofus Maximus

Plenty... They're just from the other inmates is all.....

Re:Doofus Maximus

He's a hacker what would he conjugate with?

Re:Doofus Maximus

what's the exchange rate between pounds and bucks in prison?

Honest money

The way I figure it all the effort that goes into making big money doing crime would be better used in the 'real' world.

I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.

Honest money allows me to sleep at night and at the end of this train ride, the books will be balanced and that man in the sky will do the accounting and even it all out.

Re:Honest money

Michael Fincke or Yuri Lonchakov?

Re:Honest money

[dave562]

The reality seems to be that the "job experience" gained as a member of a organized criminal enterprise doesn't look very good on a resume. You're right that the money is better, unless you're selling cocaine. In that case, the risk/reward equation is seriously out of wack, especially on a long enough time line.

Re:Honest money

[Weaselmancer]

Two things, AC.

1) You can't prove you're right any more than he can.

2) Regardless of who is right, his final thoughts as he leaves this world will be more pleasant than yours.

Re:Honest money

[Eil]

I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.

But honestly, which is more fun?

Re:Honest money

1) You can't prove you're right any more than he can.

Prove he's right?

The onus is on the believers, fool... or do we have to rehash logic 101.

Re:Honest money

[gad_zuki!]

Dishonest dealings makes you paranoid and suspicious. It increases your chances of going to jail. The people you work with end up going to jail or get killed. People like the guy in the FPP sell crypto and hardening services to child pornographers and human traffickers. They dart from gig to gig hoping they wont get caught. Its incredibly stressful to be a successful crook.

Ultimately, many gun and drug deals lead to victimization or are victimizing acts themselves. Read about how many people get killed just trying a deal.

Yes, there is a real benefit in an honest living. Its 'hip' to think everything is morally relative, but really threyre not. How you feel about selling guns to gangbangers is very different about how you feel selling widgets to the Walmart crowd.

>You can't prove you're right any more than he can.

Here's some illustrated proof on what a typical life of crime gets you. Or this.

Re:Honest money

???

He doesn't have to prove anything. Neither do you.

It's a matter of faith: Action based upon a belief, sustained by confidence.

HIM: There is a God, and I'm going to act like He's watching.
YOU: There is no God, and I'm going to act like it.

Re:Honest money

[Weaselmancer]

The onus is on the believers, fool

True enough, but you've missed something. Both sides in this argument believe something. Something unprovable.

I would reserve the 'fool' for someone who missed that point. Perhaps you could benefit from a logic refresher yourself, AC.

Re:Honest money

HIM: There is a God, and I'm going to act like He's watching.
YOU: There is no God, and I'm going to act like it.

"HIM:" Is also assuming he knows WHICH god is the RIGHT god. Let's suppose the "real" God is paranoid and doesn't want anyone to know what he wants or where HE lives and HE wants us to act like HE doesn't exist.

Now who's right?

Check out an old animated movie with the guy from Three's Company, John Ritter I think. "A Flight of Dragons". Short version? Once you start to try deny one bit of magic, you have to deny them all to not be a hypocrite. CTRL-ALT-DEL did a wintereen-mas episode on it too: "Show me a proof which invalidates my god that can't simultaneously be used to invalidate yours."

Re:Honest money

And because no one can prove their explanation is 100% correct, we're left with admitting that every explanation has a 50% probability of being the correct one...

Re:Honest money

I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.

You're right and the key difference is pretty simple...

People don't care where/if their dope man went to school, what color he is or where he grew up just the product and service.

Re:Honest money

[shoemilk]

The only thing more annoying than die-hard Chrisitan is an over-zealous Athiest.

Re:Honest money

[harry666t]

> Now who's right?

You are, for your own definition of anything. Beliefs are personal. You'd probably laugh if you'd know what do I believe in; but I don't give a fuck -- believing in what I believe actually makes things in my life more convenient -- my conscious and subconscious beliefs are working day and night to help me in accomplishing whatever task I need to accomplish.

If a belief in a god makes you a happier person, why not be happier? If a belief in your programming skill makes you a better programmer, why not be a better programmer? If a belief in fairies at the bottom of the garden makes you appreciate the beauty of the garden, why not appreciate it?

Your mind is a powerful tool, just learn to "program" it effectively, and use whatever gives you the best results.

Re:Honest money

[harry666t]

How about "neither of the two is correct"?

The main problem with "god exists" vs "god doesn't exist" is IMO with the definition of god. I've got my own; does it make the odds 33%/33%/33%?

Re:Honest money

[harry666t]

How? They're not the same?

Re:Honest money

[Locklin]

To require proof (or evidence) of a thing in order to believe it exists is not a belief, but simply rational scepticism.

If I tell you that sea water is made of supernatural jello, you are perfectly capable of asking me for some proof without forming a new "belief" that seawater is *not* made out of supernatural jello. Perhaps, you could argue that valuing scepticism is a belief, but then the onus is not on the GP to disprove God but simply to prove scepticism in general has value (easy).

Re:Honest money

"True enough, but you've missed something. Both sides in this argument believe something. Something unprovable. "

You're wrong. You have just fallen into an age-old pre-Kantian metaphysical error.

To illustrate: Person X imagines or believes the perfect island, filled with unicorns, mythical creatures, and thousands of gorgeous women exists somewhere on the Pacifc Ocean. Person Y does not belive this island exists.

Do both of these individuals "believe" in the existance or non-existance of the island? The answer is no as to person Y, as the existance is merely a predicate of the object's being. The island itself is nothing more than a concept to Person Y. To state that something does not exist does not necessarily imply a belief, ontologically or otherwise.

Re:Honest money

[neomunk]

Your mind is a powerful tool, just learn to "program" it effectively, and use whatever gives you the best results.

This my friends is the One True Religion.

I'm not saying anything for or against $DIETY, but when all the dust from the argument settles, the "program" mentioned in parent's final sentence is the effect you're left with. Your best bet is to find one that will guide your mind the way you wish, and implement it.

Re:Honest money

[neomunk]

To be fair, how do you settle an argument between a man who says the sea is made of jello, and a man who says there is no sea at all when you live a lifetime's journey to the sea?

Re:Honest money

Same AC here.

HIM: There is a God, and I'm going to act like He's watching.

The problem I have with this is that one is assuming all three of the following, not just two:
1) there is a god, which is fine - it can't be disproved after all.
2) That "God is watching". Generally speaking is all knowing, powerful, moves in mysterious ways, etc. Still not unreasonable, if perhaps improbable. Collectively we can refer to this as the magic.
3) That you are going to act like he's watching. That means you know "how" to act - that is, the all knowing, all powerful, and thus UNKNOWABLE god's mind is, somehow, known to you.

This "cognitive dissonance" is what I have a problem with - it's where a lot of the man made evil/inefficiency in the world comes from. How many times has "taking a shortcut on planning or QA" resulted in lengthy delays later? That's just in tech, much less the honest to Zeus holy wars that go on.

Assuming you "know" the real magic god's will is a hypocritical contradiction. If there really is an unknowable god, maybe he wants us all to velcro puppies to cats and and wear great cloaks made out of jellyfish while literally cannabalizing our children - Eat 100 and get into heaven! To just assume that YOU know GOD'S will is absurd, by definition. (Solipsism (?) aside)

As for myself, I don't know what the flying spagetti monster's reason for creating (or faking) the big bang is and I don't need to know. If he's watching, so be it, if not, it makes no difference in my empirical life. He either made it or faked it well enough to make no difference.

That said, my gf half believes in garden fairies and talks soothingly to her plants and enjoys gardening more as a result. SPirituality is fine and harmless, it's religion (the "God wants X, so we must Z." is my problem). My umbrella is a (pretend) magic sword when I whip it out, so I don't mind carrying it quite as much. Here's the key to my pretend magic sword and his pretend magic god: I know I'm pretending.

We may both be wrong - maybe it really is a magic sword. I don't know if there is a god, neither does anyone else. But odds are, if I'm wrong, he's wrong twice - once for the form of god, and then again on the will of god.

Re:Honest money

[jahudabudy]

but then the onus is not on the GP to disprove God but simply to prove scepticism in general has value (easy).

No, the onus is to prove that in this particular case skepticism is more valuable than credulity. Just like everything else, skepticism can be good or bad, depending on how it is applied. Just b/c skepticism results in positive outcomes in one situation doesn't at all imply it will result in positive outcomes in all situations. Can you prove (to the same level of rigor you require from religion) that your wife loves you? Probably not. Are you better off remaining skeptical of her professed love? Probably not.

Re:Honest money

[Locklin]

Well, I'm a scientist and not a philosopher, so I'm happy with the wealth of evidence and lack of counter evidence I have observed over the years.

When someone is making outlandish (supernatural) claims with no evidence or proof, it's relatively easy to make a general case for skepticism -no need to argue each and every special case.

Re:Honest money

Your mind is a powerful tool, just learn to "program" it effectively, and use whatever gives you the best results.

This my friends is the One True Religion.

I'm not saying anything for or against $DIETY, but when all the dust from the argument settles, the "program" mentioned in parent's final sentence is the effect you're left with. Your best bet is to find one that will guide your mind the way you wish, and implement it.

What if your life sucks and the only belief you can find that will let feel better is if you get your reward "in the afterlife" by killing innocent people, and just in case, the nice religious leader will see your kids get a couple bucks for food/school fees?
TERRORISM APPROVED!

What if "unbelievers" occupy your savior's alleged birthplace and don't honor him? Should you make war on them a thousand years after his death?
CRUSADES APPROVED!

What if the enemy of your god has given socially weak women magical powers?
BURN HER AT THE STAKE SALEM WITCH TRIALS APPROVED!

The problem with programming the brain is that there is a lot of malware out there (programs that say what "god" wants) and a lot of insecure systems running it (cognitive dissonance).

Re:Honest money

[jahudabudy]

Well, I'm a scientist and not a philosopher, so I'm happy with the wealth of subjective -- I added this! evidence and lack of counter evidence I have observed over the years.

You do realize that many religious people can point to numerous experiences that they interpret as subjective evidence that their beliefs are correct, with an equal lack of counter evidence. I admit I am making the assumption that your evidence of your SO's love is subjective; I would be amazed if you had conducted actual experiments, or even seriously considered competing hypotheses that would explain your observed phenomena.

When someone is making outlandish (supernatural) claims with no evidence or proof, it's relatively easy to make a general case for skepticism -no need to argue each and every special case.

Every current hypothesis about the boundary conditions of space/time are outlandish, including the concept of a creator. Yet I'll go out on a limb and state it is self evident that space/time does exist. To get back to my personal favorite example, there really aren't (to my knowledge) ANY scientific hypotheses about human emotions, as emotion is commonly defined. In fact, there are people that don't believe love is anything more than a hormonal reaction, intrinsically tied to biological sex. Perhaps you are one of them, in which case, kudos on your consistency and rationality. You probably don't believe in conscious volition, either, since most neuroscience thus far indicates that it is merely an illusion, with absolutely no evidence that supports it.

Anyway, my point is simply that, unless you are an unusually (almost inhumanly) rational person, there are things in life in which you believe that are as scientifically unsupported as the existence of God. Yet you believe them to be true because of your personal experiences. If I were to claim my wife loved me, you'd probably accept that; if I claim there is a God, you reject me as a kook. Yet, rationally, the only difference is you have personal experiences that leads you to believe in love. A 10 year old orphan on the streets of Hong Kong might find you as ridiculously deluded about love as you find others to be about God. And you really can't support your position any better than the religious can.

Re:Honest money

[neomunk]

Then we get into morality, which to me is a different ball of wax altogether. That's like discussing the merits of C, and you mention that many trojans are written in C. Well, yeah, that's the power of C.

And there will always be malware (speaking both literally and metaphorically), there are better ways of dealing with it than either condemning C or murdering malware writers (to make the analogy complete).

Re:Honest money

Then we get into morality, which to me is a different ball of wax altogether. That's like discussing the merits of C, and you mention that many trojans are written in C. Well, yeah, that's the power of C.

And there will always be malware (speaking both literally and metaphorically), there are better ways of dealing with it than either condemning C or murdering malware writers (to make the analogy complete).

Not so much that "C" is bad, but that any style of white space formatting other than "3 spacebar, no tabs" is an affront to the creator of all existence.

Tabs, 8 spaces, 3 spaces, 5 spaces, whatever.

If you believe in a "1 true formatting" then you deny yourself (and others) the flexability to use what works best for them.

THAT is the problem, even if you were right about which god and which doctrine is the "right" one.

Re:Honest money

However... saying that sea water is NOT supernatural jello, without actually viewing the sea water in question *IS* an act of belief. It is the same as saying there is/are no god/s. The proper response is, "I do not know."

Worded another way, if someone states something affirmative, the burden of proof is on them. Both statements, "There is a God.", and "There is no god." are affirmative statements. Not believing in something is not affirmative.

strike

Fiction worthy of Stephen Glass!

From TFA:The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some fans, but they didn't provide much relief. The electric bill was so high that the apartment manager suspected Butler of operating a hydroponic dope farm.

I am convinced that this story was fabricated by some Stephen Glass wannabe.

Re:Fiction worthy of Stephen Glass!

[earlymon]

HTH - http://en.wikipedia.org/wiki/Tenderloin,_San_Francisco,_California

White hat?

Just showing my ignorance here, but can someone give me a definition of what 'hat colors' mean? Red Hat I know (I guess), but White Hat? Black Hat? Blue Hat?

Someone throw me a bone, here.

Re:White hat?

It comes from old Western movies. The "good guy" cowboys all wore white hats, and the "bad guys" wore black hats.

Re:White hat?

[karstdiver]

I think the reference was simply: white hat==good guy black hat==bad guy. See also the "Six Hats" method for thinking (but I'm not sure it applies in this case): http://members.optusnet.com.au/~charles57/Creative/Techniques/sixhats.htm

Re:White hat?

[moderatorrater]

People who hack for "good" reasons are white hat. People who do it for malicious or immoral reasons are black hat.

Re:White hat?

white hack:
common definition: hacker working for the good guys
real definition: hacker working for me^Wus.

black hack:
common definition: hacker working for the bad guys
real definition: hacker not working for me^Wus

Re:White hat?

Going by Final Fantasy here.

White Hat heals people
Black Hat attacks people
Blue Hat is a script kiddie
Red Hat can do a little bit of White and a little bit of Black. Why not Gray is beyond me.

Re:White hat?

[Facetious]

So is curiosity a good thing or a bad thing?

Re:White hat?

[77Punker]

Someone throw me a bone, here.

Jimmy hat?

Re:White hat?

[Defectuous]

Think of old westerns for the answer here. White almost always represents the good guy. Black almost always is the bad guy.

Re:White hat?

[Xtifr]

It's a grey area, which is why those who hack purely for the personal satisfaction, rather than for "good" or "bad" motives are called grey hats. :)

Re:White hat?

[darthflo]

A good thing. A white hat hacker might break into a network out of curiosity, enrich his knowledge and then alarm the network operators of their problems and even help them with plugging those holes. Penetration testers are white hats too.
A black hat would tend to publicize or sell the vulnerabilities without notifying potential victims.
A cracker would destroy or alter files and generally wreak havoc.

Re:White hat?

[alexborges]

We do have a "grey" hat category! :)

Re:White hat?

[TheoMurpse]

Don't forget "green hat." Those are hackers who shut down computers across the globe in order to reduce the world's carbon footprint.

Re:White hat?

White hats don't hack networks without permission, even if they plan to alert the network owner later. That is pure gray hat territory.

White hat hackers do pen tests, but only when given permission (or, more often, are hired to do so).

Re:White hat?

True, but I think this guy was more of the classical "ass hat" than anything else. Whereas many of the slashers here are the "tin foil hats".

Re:White hat?

[MrMr]

Do you like cats?

Re:White hat?

[jollyreaper]

Don't forget "green hat." Those are hackers who shut down computers across the globe in order to reduce the world's carbon footprint.

And red hat hackers are also old ladies who like to set up elaborate luncheons.

Re:White hat?

[TheMadTopher]

Mod parent up. Funny... or Informative for the latter part!

Re:White hat?

[descil]

Let's not forget about Gandalf!

Re:White hat?

That's always amused me about the terms white-hat and black-hat...

Go back and tTake another look at those old westerns. It's the other way round!

Ah. It all becomes clear

[girlintraining]

It wasn't that this guy was whacking other underground sites, it's that he also nailed the FBI's "sting" website. The FBI and him engaged in a turf war, because if there's one thing the government hates, it's stealing. It hates competition.

Catching Max Butler

[Arancaytar]

I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...

Re:Catching Max Butler

[Emb3rz]

I must be new here, because it's difficult for me to believe that you didn't RTFA!

He's in a prison in Pennsylvania playing D&D while awaiting his trial.

Re:Catching Max Butler

[oskard]

I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...

Have you ever heard of this guy?

Re:Catching Max Butler

[Arancaytar]

Addendumg: RTFA, my bad. I took "made the feds determined to catch him" to mean they hadn't yet, but they have.

Re:Catching Max Butler

[anothersockpuppet]

Aren't we controlled by the same overlord?

Re:Catching Max Butler

[Dramacrat]

He puts on his robe and wizard's hat.

Re:Catching Max Butler

[azenpunk]

funny, i've never found the feature on my GPS unit that lets me put in a name and drive right to someone

CHECK MATE

[synthesizerpatel]

If you're going by the Roman definition, modern definition such as 'decimation in time' can mean any size reduction of a set, although I don't think down to zero.

Although, Lindsay Nagel would disagree, since zero is a percent.

Re:CHECK MATE

[rk]

since zero is a percent.

Please, let's leave the value of my 401k out of this.

Rather interesting line at end of article...

[GPLDAN]

Months later, Aragon's lawyer gave him some bad news. The Secret Service had cracked Butler's crypto and knew more about the hacker than Aragon didâ"which meant Aragon would probably never be offered a deal, even if he wanted one.

The USS cracked the Whole Disk Encryption of Max Butler.

Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?

No, I didn't think so either.

So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?

I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.

Re:Rather interesting line at end of article...

[Schemat1c]

The USS cracked

Sounds like the worst name ever for a ship.

Re:Rather interesting line at end of article...

[ravenshrike]

Clearly you haven't read Vorpal Blade. http://harrietklausner.wwwi.com/review/manxome_foe_taylor

Re:Rather interesting line at end of article...

[snowraver1]

It could also be that the gov't has farms built for the purpose of cracking encryption. This guy was clealy high on their list, so it was worth the CPU time to crack. Just a guess.

Re:Rather interesting line at end of article...

Question is, are the GPL ones more trustworthy? If the back door is in the algorithm, AES (which comes from NSA), then Kaboom!

Re:Rather interesting line at end of article...

[GOMF]

I think there is justa restriction on the encription key length, so that with a good amount of processing power you can crack it without too much effort. the GLP'ed code is viewable, so a backdoor would be hard to get away with.

Re:Rather interesting line at end of article...

[rezalas]

You know so little that your ignorance almost forms a loop back onto itself right past dumb ass and beyond, taking you right back to knowledgeable. Almost.

Re:Rather interesting line at end of article...

[jjohnson]

AES does not come from the NSA. "AES" stands for "Advanced Encryption Standard", and the algorithm selected, Rijndael, comes from two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted it to the AES selection process. All algorithms that took part were publicly evaluated for five years by the cryptography community at large, and Rijndael was selected pretty much by public acclaim.

Re:Rather interesting line at end of article...

[Cyberax]

The main problem with encryption now is that you can't remember good enough keys anymore.

It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

Re:Rather interesting line at end of article...

[Raenex]

If the encryption isn't government-farm proof then it's kind of worthless as encryption.

Re:Rather interesting line at end of article...

Someone I know in the US intelligence field stated that most crypto he came across in the field could be backdoored. Since that statement I've been highly skeptical of everything not tried and true open source.

Re:Rather interesting line at end of article...

The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text before any significant progress could be made on decrypting it, while Blowfish has "no known way to break".
So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.

Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)

Re:Rather interesting line at end of article...

[MostAwesomeDude]

There's only a few algorithms used in WDE, and of those, only AES and CAST have had any chance to be altered by governments. In particular, Blowfish and Serpent are, according to quite a few people, very reliable.

I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

At any rate, almost none of the current algorithms out there can be brute-forced, period. They're just too big.

Re:Rather interesting line at end of article...

[betterunixthanunix]

The probably just brute forced the key. It probably required a significant amount of time -- the article does not actually give timescales here, and Aragon's trial could have taken nearly two years, considering the high level operation that we are talking about here. With that much time, and the priority of the case, I would not doubt that the government could have devoted enough CPU time to brute force the password.

There are other ways that they could have gotten the password. For example, they could have analyzed the wear on each key from his keyboard, to figure out which letters were more likely to have been used in a password. It would not have cracked the password instantly, but it would remove many months of work from the process.

Re:Rather interesting line at end of article...

[betterunixthanunix]

It is very unlikely that the US government would deliberately sabotage the encryption standard for the entire country. It is asking for trouble to do so, since foreign powers are known to be engaged in hacking campaigns against US businesses and agencies, and back doors could be discovered by those powers. I thought we learned this lesson with DES, when the government demanded different S-boxes without telling anyone why, and the S-boxes they chose turned out to make the algorithm more resilient to differential attacks?

Re:Rather interesting line at end of article...

[rilian4]

ok. I saw the NCIS post and I can't resist...

They usually don't show a lot of the so called "hacking" that McGee(computer geek) or Abbey(the hot goth forensic scientist) partake in on screen thus making them almost believable (not quite) that the agents can actually do what they say they are doing...that said, they blundered badly in one episode. I don't recall which but here's how it played out...

McGee was tasked w/ searching a suspects laptop for data and stated to Gibbs that the hard drive had been 100% wiped out or erased or deleted or something like that. Note that 100% was in the dialog. The scene then quickly cut to a close up of the computer screen (very rare for NCIS) w/ a cutesy graphic displayed on the laptop showing "100% deleted" on top of what was obviously windows explorer in the background.

Most of you will see the error w/ no further explanation but just in case...

You can't run windows on a laptop that has just had its hard disk totally wiped out. Now if the window had been knoppix or other *nix w/ said graphic, I might have believed McGee actually booted the system off a forensic CD/DVD and checked the drive from there but this was a full blown regular looking windows explorer background w/ a cutesy window saying "hard disk 100% wiped"

NCIS is still one of my favorite shows and overall I think they've done a decent job w/ the hacking even if all they do is *not* show us fake graphic hacking screens...this is just one time where they blew it. What is more fake is where that "hot goth chick" can get DNA and fingerprint results back on anybody on the planet before the next commercial break or on a slow day, right after the break.. ;-p

Re:Rather interesting line at end of article...

[rilian4]

It could also be that the gov't has farms built for the purpose of cracking encryption...

They do, it's called the National Security Agency. A whole department devoted to encryption/decryption.

Re:Rather interesting line at end of article...

[Wonko+the+Sane]

The USS cracked

Sounds like the worst name ever for a ship.

USS Cracked? Doesn't seem to bad to me.

Re:Rather interesting line at end of article...

[witherstaff]

Maybe it was just a copy of Windows ultimate boot CD. On a serious note, I wonder how much MS pays to get even little flashes like that in a show?

Re:Rather interesting line at end of article...

What if you forget your password? You'll need at least someone to let you in.

Re:Rather interesting line at end of article...

[_Stryker]

But what if the OS was on one disk and all the user data was on a 2nd disk. And that 2nd disk was the one that was 100% wiped?

Re:Rather interesting line at end of article...

Not really. When I was a kid I had a simple cheepo safe for my goods. It wasn't safe from the worlds best safe crackers or even a 20 pound sledge hammer, but it was good enough to keep my brothers hands off. Encryption is like that too. Sometimes your valuables aren't that valuable, and you just want to make it difficult enough to keep out amateurs.

Re:Rather interesting line at end of article...

[darkuncle]

if by "cracked" you mean "brute-forced his password" or maybe "brute-forced him until he gave up his password", then yeah, I believe you.

Ken Thompson aside, I doubt there are purpose-built backdoors in any open source encryption project (commercial is another matter entirely).

holes that can be exploited, on the other hand, are probably a dime a dozen.

Re:Rather interesting line at end of article...

[StikyPad]

That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).

Re:Rather interesting line at end of article...

[Cyberax]

Nope, it's not. It's actually a horrible passphrase, since it contains only dictionary words.

Re:Rather interesting line at end of article...

"Only dictionary words" isn't a problem; while 70^6 isn't great, 600000^6 (based on the number of words in OED2) is better than an 18-character password from a 70-character alphabet.

The fact that it's a well-known phrase (and, to a lesser extent, that it only uses common words) is a bigger weakness.

Re:Rather interesting line at end of article...

[cdrguru]

Anyone that doesn't want to get fired does the following:

- Remove the hard drive
- Image the hard drive with a read-only adapter
- Put the computer in the evidence locker
- Work from the image

Failure to do this will result in your being branded an incompetent fool and fired. On the spot.

Yes, my company works with state, local and federal law enforcement on this kind of stuff.

Re:Rather interesting line at end of article...

[Bender0x7D1]

Simply replace the spaces with a different character, or combination of characters. Problem solved.

Re:Rather interesting line at end of article...

[CodeBuster]

Not at all. The final value of this carders hoard of unused dumps was estimated to be in the range of 500 million dollars (at least according to the article) and the USSS was involved along with the FBI in an attempt to shut down the largest consolidated carder site ever assembled by one person. As other posters have pointed out, analysis of keyboard wear (assuming that Mr. Butler didn't have the foresight to regularly change his physical keyboard) might have assisted the effort greatly (yielding a success before all or even most of the possible key space had been exhausted). The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary. The United States, as one of the reigning superpowers of the world, has a vast amount of money and resources at it's disposal (we spend more then 500 million dollars in Iraq every week). Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem. The article mentions a time frame of serveral months to years (and the trial probably went on for a couple of years) which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace. Fortunately, for most of us, our data is not worth 500 million dollars and so no great effort will made to brute force our FDE keys in the event that our laptops are lost or stolen. Even the resources of the largest governments are finite after all and no protection, even the strongest encryption, is infinite, but that doesn't make FDE useless.

Re:Rather interesting line at end of article...

Rarely have I actually laughed out loud from a comment, thank you good sir

Re:Rather interesting line at end of article...

USS = United Soviet States, where the Feds hack YOU.

Re:Rather interesting line at end of article...

[techno-vampire]

For example, they could have analyzed the wear on each key from his keyboard, to figure out which letters were more likely to have been used in a password.

Assuming that he was using English, that would have lead them to believe that his password consisted mostly of the letters etoanirsh as those are the most commonly used letters in English. If so, it probably wasn't much help to them, especially when you consider how often he had to use that password in comparison to whatever else he was doing day to day.

Re:Rather interesting line at end of article...

[Bender0x7D1]

I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.

Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)

Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.

Re:Rather interesting line at end of article...

[registered_after_8_y]

Yup, he probably typed his password at most a few dozen times a day, while spending the rest of the time hacking into databases, which I somehow believe requires quite a bit of typing... well of course, if he used letters common in English and a lot of brackets and such then they may very well have used this, but as the parent says not very likely.

Re:Rather interesting line at end of article...

[theLOUDroom]

What a load of hogwash!

analysis of keyboard wear [...] might have assisted the effort greatly

No. It would not. It's pretty simple. How many times do you type your password vs. how many times do you type some other word? Try doing some computer simulations if you don't believe me. The data will be lost in noise.

The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary.

No. The point is to take advantage of math problems that are asymmetrically hard to solve.
The goal is to create the largest force multiplier you can. This is how crypto differs from regular security.
The perfect cipher would be simple enough for a human to compute readily on a single piece of paper while resisting the brute forcing efforts of a computer built using every atom on earth, clocked at one terahertz and running since the beginning of the universe. It's a issue of scale. The "force multiplier" effect avaible from crypto is greater than anything in the physical security world. Imagine instead that instead of working with of E = MC^2, you were working with E = C*2^M. See how it's different? The work required to brute force a key baloons very quickly.

Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.

No, actually that's not a certainty.
In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.
If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.

which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace.

BASED ON WHAT? Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources? Why not milliseconds? Why not millenia?

You have NO IDEA, what a reasonable time scale would be and you're just talking out your ass here.

I suppose some my consider me rude for point that out, but there are those of us who find people randomly making things up to support their argument to be rude.

Re:Rather interesting line at end of article...

[mrphoton]

Window (i.e. Bit locker) uses 128bit AES-CBC encryption with an initiation vector calculated from the position of the block on the disk. http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption . There was some speculation on wikipedia that 128bit AES is not strong and that is why it is not used buy the US to encode the most sensitive information. Preferring instead to use the 256bit key for the most sensitive information. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard The article mention that "Cryptographers worry about the security of AES". I wonder if they are correct......

Re:Rather interesting line at end of article...

[csartanis]

Except that when its going to take 10^50 days to crack, throwing more computers at it still isn't going to drop the time down into the reasonable range.

Re:Rather interesting line at end of article...

What? How the hell do you figure?

I would wager that there are about 170,000 words in use in the English language; maybe 150,000 of those are in a dictionary. Even if you had a pass phrase that contained only 3 words it could conceivably take 100,000 years to crack the damn thing assuming you try 1000 pass phrases a second.

Re:Rather interesting line at end of article...

[azenpunk]

i thought the point of good encryption was that the computational resources required to crack it in a timely fashion do not exist on earth even when summed.

Re:Rather interesting line at end of article...

Dont you watch NCIS ??? that hot goth babe can creack 256 bit encription before the next commercial break !!!

Dear God tell me you are joking. That bitch is beyond ugly. She's right up there with Fairuza Balk in the "so ugly we had to tie a porkchop to get the dog to play with her" department.

Seriously, all of you little goth freaks? You're fucked up.

Re:Rather interesting line at end of article...

[theLOUDroom]

It is very unlikely that the US government would deliberately sabotage the encryption standard for the entire country.

Because the US Government has never done anything stupid before?

We did give Saddam Hussein the key to the city of Detroit.
How'd that Vietnam war ever turn out?
How are things in Iran these days?

No the US would never shortsightedly adopt a policy against its own interests, especially with regard to cryptography.

An appeal to authority isn't a very good argument when that authority has repeatedly show itself unable to think more than a couple years ahead.

Re:Rather interesting line at end of article...

Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.

Wrong, a one time pad that is the length of the data is the best encryption and it can not be cracked. The solution consists of every possible combination of the data therefore it isn't even possible to know when you have found the key.

Of course OTP encryption is basically impossible in practical use. You either have to remember a key that is the length of your data or store the key somewhere which is a weakness that can be broken. It does exist though and invalidates your statement.

Re:Rather interesting line at end of article...

[Ignatius+D'Lusional]

Yeah, it's kind of a poor-man's version of the USS MAD Magazine.

Re:Rather interesting line at end of article...

[Prune]

In fact, the cracking of many symmetric encryption algorithms are not significantly helped by quantum computing. It is only specific algorithms that are susceptible.

Re:Rather interesting line at end of article...

[ladadadada]

What matters is not the keyspace size but where in your adversary's brute-force method your particular key is located.

For instance, if they try "aaa" then "aab" then "aac" then this 36 character pass-phrase will not be found for a VERY long time. If they start with words separated by spaces then this pass-phrase will be found much more quickly. Probably even more quickly than the pure punctuation pass-phrase.

But why would they ever use such a method ?

Normal brute-force methods focus on "normal" passwords. Passwords are usually 6 to 10 characters - often a dictionary word with a number at the end. The brute forcer would have no reason to suspect that the key was actually 6 dictionary words, each with the first letter capitalised, separated by spaces and with an exclamation mark at the end.

This is not just "only dictionary words" because it contains capitals, spaces and one punctuation mark and is clearly much more resistant to brute force attacks than a short password, even if the short password contains capitals, numbers and punctuation. As a bonus, it's also resistant to keyboard wear analysis.

The only thing that makes this a bad pass-phrase is that it is now cached on your hard drive and hence will show up if they run "strings" across the volume.

Re:Rather interesting line at end of article...

It's actually a horrible passphrase, since it contains only dictionary words

Depends on what sort of attack you're expecting. A seven ASCII character password has complexity of at most 95^7 ~= 7e13. But since the English language has ~500,000 words, a six word pass phrase has complexity of 500,000^6 ~= 1e34. Of course, a black hat can probably eliminate most words (100,000^6 ~= 1e30). Statistical chaining can probably knock off a bunch of combinations which don't make sense - say we loose an order of magnitude of each. We're still at 10,000^6 ~= 1e24. Even if we lose two orders of magnitudes, we're still at 1000^6 ~= 1e18. In fact, if we lengthened the phrase to 7 words "Peter Piper Picked A Red Pickled Pepper", we could do chaining with only 100 options, and still have a complexity greater than your "strong" 7 character ASCII code (100^7 > 95^7).

But step back a minute and think about what the attacker has to do to reduce it to "par" with your seven letter password. He has to decide which subset of words to take and then he has to perform natural language processing to figure out which word combinations are likely. Throughout this, we've assumed that the attacker is smart enough to know that we've used at most a seven word passphrase, have separated the words with spaces, only picked from a certain subset of common words, and made a sentence which makes sense grammatically. Let's back up to the point where the attacker has just got done with all 1e10 five word combinations. What will he test next? Will he gamble that you're favorite word might be truncheon? Will he account for the possibility that you've intentionally (or accidentally) a word? That you've used underscores instead of spaces? Or that you've extended the pass phrase to six (or seven (or eight?)) words? Or that you might have added an exclamation point or other punctuation at the end? (Re-examine the phrase given by Stikypad closely.)

This is assuming he's running through the pass phrases systematically, and is being exceptionally clever and knowledgeable, and knows for damn sure you've only used words in the dictionary. Something as simple as 'Cyberax Picked A Pickled Pepper' would completely mess up his system.

By the way, a stupid attacker brute forcing it would have cracked your "strong" seven character "#$q%{:}" password millennia before he ever got to the 36 character "Peter Piper Picked A Pickled Pepper!".

It's true that using a phrase that was easily Google-able (e.g. "Peter Piper Picked a Peck of Pickled Peppers") would probably fall quickly, like using "password" for your password would. But the same holds true for the easily guessed "p4ssw0rd" - using "Leet speak" in passwords is so often recommended for "hardening" passwords, that only an idiot would discount it. If I was a hacker, "p4ssw0rd" would be in the first 1000 I'd try, despite it not being in the dictionary.

Re:Rather interesting line at end of article...

[ITEric]

Why not use page(s) x of a book with ISBN y (first edition of a favorite book or even a cheap paperback with a memorable title, for example) for your key?

It limits the amount of data you have to remember while giving you a sufficiently long key. Seems pretty practical to me ;)

Re:Rather interesting line at end of article...

You are an idiot.

Re:Rather interesting line at end of article...

[betterunixthanunix]

"We did give Saddam Hussein the key to the city of Detroit."

He was once an ally, but that is irrelevant because it was not done by the NSA.

"How'd that Vietnam war ever turn out?"

From a military perspective, we were winning prior to the pull-out. We left because of eroded support for the war among the American public.

"How are things in Iran these days?"

You are 1 for 3, things are bad in Iran. But, as with the key to Detroit, this was not an NSA action.

"No the US would never shortsightedly adopt a policy against its own interests, especially with regard to cryptography." The laws surround cryptography are not passed by the NSA, they are passed by congressmen with little to no understanding of the field or how it works. Export restrictions on cryptography have nothing to do with the NSA, in fact, the NSA operates under the assumption that regardless of export law, publicly available cryptography systems will escape US borders. The idea that a cipher itself must be kept secret is beyond outdated; in fact, it is an idea that was dropped centuries ago, when the Kama Sutra cipher was published. While the NSA has, in the past, kept the nature of the ciphers used for SECRET and TOP SECRET level documents classified, this is no longer the case; AES represents a departure from that position.

AES is a mandatory standard for SECRET and TOP SECRET communications. This goes beyond the NSA, to every branch of the government. If the NSA had deliberately inserted a back door into AES, it would open the possibility of a foreign power deciphering high security communication within the US government. If you do not trust the NSA -- which hires expert cryptographers and security researchers -- to make good decisions about the security of the USA, then you might as well leave now for your own protection.

Of course, you do trust the NSA, and I notice that you never questioned my assertion about the DES S-boxes or anything relevant to actual cryptography. Another example would be the revision of SHA-0 to SHA-1 by the NSA; SHA-1 is more resistant to collision attacks than SHA-0. You do not seem to be interested in questioning whether or not the NSA introduced a weakness of some kind into SHA-1 or SHA-2. I agree that congress has a habit of passing stupid laws when it comes to cryptography, but to claim that this implies that the NSA has been trying to sabotage national security just screams of tin foil.

Re:Rather interesting line at end of article...

No, that isn't secure because the key space is limited. It would be possible to check the data against all known text. With your method it could be cracked within a very short period of time. I know you're now thinking about reversing the data, or every other word, or some other permutation but that is still not secure. In cryptographic terms it's a very small key space and can be broken easily.

You need a truly random key which is a problem in itself. Besides storing/remember the key, the random key generation algorithm can be another weak point for OTP encryption. The algorithm needs to be perfectly random which is very hard or maybe impossible if you know anything about Chaos Theory.

Security is very, very hard. Whatever you think is secure is probably not.

Re:Rather interesting line at end of article...

[arkhan_jg]

Just because he's a hacker doesn't mean they can't bruteforce dictionary search his password. You'd be amazed how many otherwise intelligent people pick a weakish password (word+number) even when shown why not to.

You wouldn't be amazed how many pick a really really weak password given the opportunity (6-letter or less word), it's as common as you think.

Still, with the NSA backdoor scare in windows, and the UK government deciding the police can attempt remote access of british PCs at will without warrants, it's no bad idea to be a little
paranoid of commercial WDE products, especially if they're american or british.

Re:Rather interesting line at end of article...

[CodeBuster]

If you read the article then you would know that he didn't even know that he was under surveillance by the USSS for some time before his arrest. They watched him move to a new appartment and take his stuff with him. They knew when he went out and what he took with him. They could have bugged his keyboard while he was out and recovered the key that way. The article didn't say how exactly they recovered the keys or even how long the passphrases were. If they can physically locate you and breach your physical security, as the government was able to do in this case, then it is only a matter of time before they catch you off guard. When they finally did arrest him they busted down the door while he was sleeping and threw him out of bed. There were ample opportunities to recover the keys, even if they didn't brute force them, because they compromised his physical security prior to his arrest.

How many times do you type your password vs. how many times do you type some other word?

It depends what you use your computer for and what the password is. If the password includes lots of punctuation characters that dont get typed as often as other keys for example or if numbers are used more or less etc. It might yield nothing or it might yield something, but you cannot say that under no circumstances would be of any help in brute forcing the keys. It might, it just depends upon the password and the usage patterns. If you have to try all of the keys anyway then the order doesn't really matter so it cannot hurt to try the keys with the more 'likely' characters first, even if that data turns out to be just noise.

Now suppose that they knew the cipher that was being used, maybe he used the default choice for whatever product he was using, it doesn't take to long to check a single key and even if they couldn't identify the algorithm being used checking three or more would only add a constant coefficient (the number of algorithms to check for each key generated) to the complexity of the attack.

No, actually that's not a certainty.

But it is not an uncertainty either. The NSA might have some cryptanalysis techniques that are not generally known that substantially reduce the keyspace or maybe they had some known plaintexts. The article didn't say how the FDE was cracked, but we do know that they got his keys somehow. At the very least this should signal to the average citizen that encryption is not an absolute defense against a determined adversary and particularly when that adversary is the government or is prepared to use extreme violence or duress (ala the rubber hose) to extract your keys. I agree that the algorithms themselves are strong, but there are other considerations in the real world.

Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources?

Maybe they were able to determine some of the characters that were used in the key, or maybe they had some known plaintexts (things that they knew where on the harddrive). The attack may not have been completely unguided.

but there are those of us who find people randomly making things up to support their argument to be rude.

We were speculating because the article was vauge and those that do know (i.e. the government) aren't going to say because they don't want to reveal their methods. Having re-read the article I think that the most likely explanation for the breach was the compromise of Butler's physical security during the time leading up to his arrest. They could have bugged his keyboard(s) and waited for him to access the encrypted drive before kicking down the door. He was obviously concerned about his physical security, but he was apparanetly unable to spot the surveillance or take steps to destroy the evidence prior to his arrest (which he probably would have tried had he know about the agents watching his appartment and had time).

Re:Rather interesting line at end of article...

the point of good encryption is that all of the resources on earth combined cannot crack it before the Earth expires.

That's paranoid conspiracy, IMO.

Re:Rather interesting line at end of article...

[theLOUDroom]

He was once an ally, but that is irrelevant because it was not done by the NSA.

Who do you think signs the NSA's paychecks? Their priorities and funding are decided for them, by the same people who decided Saddam was an "ally."

From a military perspective, we were winning prior to the pull-out.

Clearly you live in some parallel dimension filled with revisionist history.

claim that this implies that the NSA has been trying to sabotage national security

Here a classic example of a strawman argument. Respond to an argument that we may unintentionally hurt ourselves by stating the we would never intentionally hurt ourselves.
The are plenty of plausible scenarios where the NSA might suggest a deliberately weak cryptosystem. For example, they know it will be weak only with keys not tested against criteria X. They approve the system and secretly test keys against this criteria while simultaneously exploiting our enemy's adoption of awesome "US military grade cryptography".

Re:Rather interesting line at end of article...

[theLOUDroom]

It depends what you use your computer for and what the password is.

Did you actually try to simulate this, like I suggested? Or are you just whining that there is some imaginary, extermely unlikely situation where it might help? The quantity of "regular" keystrokes is so much greater than the quantity of "passphrase" keystrokes, that even the less frequently used keys will not show up as a statistically significant difference in the overall distribution.

But it is not an uncertainty either.

The idea that we won't be able to come up with a single math problem that is exponentially more difficult to solve backwards than forwards seems pretty extreme for a random person on the internet to put forth in passing. If such "asymmetrical" problems do exist, then they provide a basis for a cryptographic algorithm which becomes essentialy "impossble" to crack, when used with a sufficiently long key.
If you could actually back up a claim like that, it would be a HUGE mathematical breakthough. Possibly the biggest thing since calculus. It's like saying "I have discovered a truly remarkable proof which this slashdot post is too small to contain."
What you said was like suggesting that gravity might suddenly suspend itself next Tuesday because it would be convenient for your argument.

Having re-read the article I think that the most likely explanation for the breach was the compromise of Butler's physical security during the time leading up to his arrest.

There's a good chance you're right, but I find it just as likely they simply threatened to violate his rights indefinately until he gave them the key. Kevin Mitnick was held in solitary for EIGHT MONTHS without trial until he cracked and gave them what they wanted. To date, there have been no repercussions for that.

Re:Rather interesting line at end of article...

[TheTurtlesMoves]

I havent read all the comments, so sorry if this has already been said. But encryption will not stop a key logger (TEMPEST/hardware based key logger that is). Even if they just use ever character typed in a day your down to a very manageable number of possible passwords (aka millions or less). Even with some hard core hashing its still in the easy basket for a well funded attacker.

There are not all that many effective counters against this sort of thing really.

Re:Rather interesting line at end of article...

Twofish, for instance, is estimated to take 32 Petabytes of text before any significant progress could be made on decrypting it, while Blowfish has "no known way to break".

However, from Wikipedia:
 

Bruce Schneier notes that while Blowfish is still in use, he recommends using the more recent Twofish algorithm instead

Re:Rather interesting line at end of article...

[gr8dude]

The main problem with encryption now is that you can't remember good enough keys anymore.

Store them on a smart card or a token. The technology has been in use for many years and is reliable.

Re:Rather interesting line at end of article...

Not sure what I missed, but how many bits do you enter when entering your TrueCrypt password? Is there a hex-input field in TrueCrypt where you can enter your full 1024bit key? Can you remember it?

A brute-force password attack when you have the image and encrypted key available. How hard is that? There is no network latency or artificial pauses if you try the wrong one so I would assume a pretty good throughput. Maybe you can construct passwords with different statistical properties, phrases, parts of words etc..

I have no background in the field but I am really interested in how you keep the asymmetric properties when it comes to the pure password attack.

Re:Rather interesting line at end of article...

80^7 60000^5
ok his password is stupid as its a common phrase but the concept is fine.

Re:Rather interesting line at end of article...

[dwpro]

I tried that once, but typing something that long quickly over and over becomes quite frustrating, especially since you can't verify that you did it right and sometimes get locked out if you type it wrong too many times on a system.

Re:Rather interesting line at end of article...

there are those of us who find people randomly making things up to support their argument to be rude.

I think I missed the citations in your post....

Re:Rather interesting line at end of article...

Read up:

http://world.std.com/~reinhold/dicewarefaq.html#someoneknows

Re:Rather interesting line at end of article...

[betterunixthanunix]

"Clearly you live in some parallel dimension filled with revisionist history."

The Tet offensive was a significant military victory for the US forces in Vietnam, as it had resulted in a vast weakening of Northern Vietnamese forces. Following that, the US was in a position to take the rest of that country, if we had been committed enough to increase the number of troops in the region. The US public was not committed, due to the number of casualties on the US side of the war and a belief that previous defeats indicated that such action would also end in defeat.

I never said it was an overall good thing. Politically, it would have been a disaster to send more troops there and raise the death toll. It would also have entailed expanding the draft to the middle classes, which would have marked the end of any politicians involved. My point was that, from a military perspective, victory was possible.

"The are plenty of plausible scenarios where the NSA might suggest a deliberately weak cryptosystem. For example, they know it will be weak only with keys not tested against criteria X. They approve the system and secretly test keys against this criteria while simultaneously exploiting our enemy's adoption of awesome "US military grade cryptography"."

Which would also open the possibility of a foreign power, particularly that large on in Asia or its northern neighbor that has some territory in Europe, discovering criterion X and exploiting US use of the system. Various foreign nations have electronic and signals surveillance operations in place (granted, so does the USA) that target US corporations and government agencies, and the discovery of a back door would be a boon to those operations. The NSA knows this; in fact, this is a principle that is central to modern cryptography, usually expressed through the concept of "the strength of a cipher should depend solely on the secret key." Deviating from this principle would sabotage national security, regardless of how you want to state it. It is not a straw man, because this principle has been central to the NSA's cipher designs since the beginnings of the NSA, and so violating it would be a deliberate, intentional effort to weaken national security.

Re:Rather interesting line at end of article...

[neo]

**Assuming you knew that the phrase only included dictionary words you would still need to start with one, two, three...

at 171476 words in the American dictionary this becomes:

171476^6*4 (4 being the most common endings for a phrase [?.!{null}]

1.016904236538265454922659640279e+32 possible combination.

I didn't add bonus points for making all the words caps.

Re:Rather interesting line at end of article...

[CodeBuster]

I didn't say that I had discovered some new way to break strong crypto, but unless you are the smartest person on earth how can you be sure that someone else, perhaps working for the government (ala the NSA), hasn't solved that problem and just not made the solution public? As far as anyone with access to only public information knows the problems upon which the algorithms are based remain very computationally expensive to solve, but do not be closed to the possibility that a solution exists unless it has been proven not to exist. For example, everyone "knows" that P != NP, but nobody has been able to prove that it isn't so we must remain open to the possibility, however remote, that P = NP. I have high confidence in the security of the encryption that I use on my personal laptop for most situations, but my faith in it is not unquestioning. Be careful about what you think you know or you may be in for some nasty surprises out in the real world.

Re:Rather interesting line at end of article...

[theaceoffire]

Or did he write his password on a post it note and stick it to his monitor?

Or does he use the same password for everything, and they just hacked his email account instead?

Re:Rather interesting line at end of article...

[Hillgiant]

I just write them on a post-it and stick it to the monitor.

Re:Rather interesting line at end of article...

[Olivier+Galibert]

Maybe the NSA has proven that P=NP.

    OG.

Re:Rather interesting line at end of article...

[skeeto]

That's the kind of poor thinking that gets us those crappy password strength measuring scripts on websites. These things are totally wrong. Just like every single e-mail address validator out there, they annoyingly, incorrectly reject my perfectly valid (i.e. strong) diceware passwords.

Someone already linked this, but here it is again explaining why dictionary words are fine, as long as you do it right (i.e. with something like diceware): Diceware FAQ.

Re:Rather interesting line at end of article...

Yup, or for that matter, if they were following the guy for a year, who's to say they didn't manage to somehow plant a camera near his keyboard? Or that he didn't have a window right near one of his keyboards. I'm thinking they did something very low tech to get the key. Hell, even if the government has some kind of mega-password cracking setup, why would the FBI have it and wouldn't they not want it publicized?

Re:Rather interesting line at end of article...

This is not just "only dictionary words" because it contains capitals, spaces and one punctuation mark and is clearly much more resistant to brute force attacks than a short password, even if the short password contains capitals, numbers and punctuation. As a bonus, it's also resistant to keyboard wear analysis. The only thing that makes this a bad pass-phrase is that it is now cached on your hard drive and hence will show up if they run "strings" across the volume.

That is why my pass-phrase is Public Static Void Main[] {System.out.println("HI");}

Re:Rather interesting line at end of article...

[ginbot462]

Anyone interested in NSA should read "Body of Secrets".

Of particular note:
shamrock (http://en.wikipedia.org/wiki/Project_SHAMROCK)

and (though not NSA)
Operation Northwood (http://en.wikipedia.org/wiki/Operation_Northwood)

Re:Rather interesting line at end of article...

I'll just consider you rude for being rude and leave it at that.

Re:Rather interesting line at end of article...

[sabt-pestnu]

>> Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.

>No, actually that's not a certainty.
> In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.

You forget, perhaps, that there in fact ARE fundamental weaknesses in cryptographic schemes - now and in the future. The ones with fingers and eyeballs.

You also throw theoretical arguments back against a theoretical statement. If I have infinite resources, the heat death of the universe is not an obstacle. In fact, if I have infinite resources, I could recreate the author of the encrypted data and his entire life. ... But that's a different argument, for another post.

Hmm... infinite key length... infinite resources... what a challenge. Maybe I'll create an entire planet with millions of self replicating processors devoted to solving the problem. I'll need a management layer, too, to ensure the distributed decrypting doesn't run awry. Hmm... How about white mice?

Re:Rather interesting line at end of article...

[gknoy]

Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.

No, actually that's not a certainty.
In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future. If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.

You're not actually disagreeing with him. Your argument us that we currently do not have the resources to throw at the problems. If, however, we DID, the problems would be solvable. This seems pedantic, but I don't think it is. Increases in processing power, mathematics research, and the like continue to advance. Crypto is always about managing the value of information vs the cracking power of the opposition. The only reason things are "uncrackable" is merely because no one has the resources to commit. People have been wrong before about the resources necessary to crack their crypto, and I wouldn't be surprised if they were wrong again.

DES and other schemes were considered "uncrackable" by non-government entities ... until someone built a dedicated machine for it. If something is valuable enough, someone will work to find a way. As someone else pointed out, the value of this data was in the hundreds of millions of dollars. I'm certain that the Secret Service could easily employ some skilled engineers, mathematicians, and computer scientists to build a cracking machine which is a threat to many non-paranoid users.

It's possible that he could have used a key size that was sufficiently large to be uncrackable, and (more importantly) a bug-free implementation which didn't have any weaknesses to cryptanalysis. However, he apparently didn't.

Re:Rather interesting line at end of article...

[spidr_mnky]

Also it's a relatively well-known string, or a simple variation of one, even if it's a long one. Actually, I don't know whether it would be breakable even if someone were using a good dictionary of phrases and permutations, but rather than do the math, I'd personally throw in a capital letter in the middle of one of the words, and a tilde or circumflex for good measure.

I may not remember #$q%{:}, but I can remember a capital T in PeTer and a star in Pep*per.

Re:Rather interesting line at end of article...

[StikyPad]

Exactly. Even commonly used words and phrases are fine in a passphrase, and adding some random variation makes it extremely robust. There's no such thing as "uncrackable", but there is such a thing as impractical to crack.

Of course, in a few decades it will probably be possible to brute-force passwords/phrases longer than most people can remember, or are comfortable typing regularly, and if not, surveillance technology will likely have improved to the point where you'd need to live in a Faraday cage in a concrete bunker to avoid it.

Re:Decimate

[TaoPhoenix]

Yea, but they seem to be trying to make it mean *leave* 10%.

Why didn't the FBI do the disruption?

[daigu]

Most illegal online loot was fenced through four so-called carder sites--marketplaces for online criminals to buy and sell credit card numbers, Social Security numbers, and other purloined data. One by one, Butler took them down.

The obvious question: why didn't the FBI do this rather than set-up a honeypot site? I understand the focus on gathering evidence, but it is interesting the disruption isn't a more important part of the law-enforcement toolkit.

Re:Why didn't the FBI do the disruption?

[iluvcapra]

>

The obvious question: why didn't the FBI do this rather than set-up a honeypot site?

Police and prosecutors are rewarded based on the number of arrests and convictions, and not necessarily on reduction in crime?

Re:Why didn't the FBI do the disruption?

[wjh31]

would you like to give them the legal right to disrupt any website they felt fit before they had enough evidence to proove wrong doing. If there is wrong doing then gather evidence and prosecute and shut down for good, if there isnt wrong doing, leave it, dont cause disruption just because someone has a hunch, or whatever other motives any paranoids/conspiricists/etc would like to add

Re:Why didn't the FBI do the disruption?

[betterunixthanunix]

They are probably not allowed to do it, by law. Until they can prove that a computer is being used for illegal purposes, hacking their way into it and messing with the data stored on it is more likely to get the criminals off "on a technicality" than get them locked away for life.

Re:Why didn't the FBI do the disruption?

[dave562]

Maybe it has something to do with computer trespass laws? I'm not a lawyer, but from what I understand, the law enforcement community has to follow the rules. Often times those rules hamper them. Expensive defense lawyers are often focused on the procedures followed when their clients are arrested or investigated. Any anomolies in the procedure could be a get out of jail free card.

For example, I know a guy who got out of a DUI ticket after being stopped at a DUI checkpoint. The court order/warrant/whatever that was approved for the checkpoint specifically stated that the officers were only allowed to stop one out of every three cars, or something like that. The defendant's lawyer was able to prove that the police officers did not operate within the limitations of their authority as defined by the order to establish the checkpoint. Therefore despite the guy being drunk as a skunk and definitely guilty of DUI, the charges against him were dismissed.

Given that unlawful access to a computer is a Federal crime, I don't think that the Feds are allowed to go breaking into computers. However, they can certainly setup a honey-pot and wait for stupid criminals to hang themselves. One might consider an article that was just posted here, the one about authorities in the UK being given expanded powers to access personal computers.

Re:Why didn't the FBI do the disruption?

[Capt.+Skinny]

Perhaps because they were targeting people, not sites? The summary refers to the FBI site as a "sting operation." Sounds to me like they were gathering evidence against the individuals buying and selling data (through the sting site), which is a completely different goal than taking down four sites that would be replaced in short order.

Re:Why didn't the FBI do the disruption?

[_Sprocket_]

I understand the focus on gathering evidence, but it is interesting the disruption isn't a more important part of the law-enforcement toolkit.

Arrests and, more importantly, conviction ARE disruptive.

Re:Why didn't the FBI do the disruption?

[Alex+Belits]

And participating in fraud (and providing public resources, no less) is any better? A honeypot site may gather evidence on some people and get them caught, but at the same time it will also assist many others criminals and be involved in crimes that will never be solved. FBI doesn't have resources to go after any meaningful percentage of site users, so how is it supposed to be a benefit for society? How come, they are immune to those charges (fraud with massive numbers of victims) yet not to "computer trespass" that targeted a site operator who probably will be charged with fraud anyway?

Re:Why didn't the FBI do the disruption?

[dave562]

Because life isn't perfect and you have to break a few eggs to make an omelette. It's one thing to pretend to be a bad guy, and to engage in other bad activities to catch and prosecute bad guys. It is another thing entirely to be given a free pass to trespass. Do you want to give up your legal protections that protect your personal computer, so that the FBI can go hack into someone else who may or may not be guilty of a crime? That is where your argument is leading.

Re:Why didn't the FBI do the disruption?

[Alex+Belits]

What legal protections? They are still passing around stolen (possibly mine, and tens of thousands of other people) data on their "sting" site, continuously causing real harm to the victims -- if there was any real protection, they would have to be charged with fraud along with those few "real criminals" they have fished out.

Re:Why didn't the FBI do the disruption?

[dave562]

Are you serious, or are you just arguing for the sake of doing so? Do you have any idea how the criminal justice system works in this country? Do you have any idea how investigations take place?

If the FBI just took the site down the carders would move else where. Back before the internet was big, I used to know people who swapped codes over voicemail systems. What do you think happened when a compromised system got shut down? Everyone just jumped to another one.

Collecting enough evidence to prosecute involves long term investigation. I doubt that the admins of the carding sites are keeping detailed transaction logs for the Feds to pour through. Therefore the Feds have to setup their own site to get enough evidence to tie the codes to the person providing them.

Since you've suggested that the Feds should just take down the sites themselves, please tell me how that would achieve anything more than a temporary disruption in the system? How would that lead to prosecutions?

Re:Why didn't the FBI do the disruption?

[Alex+Belits]

Are you serious, or are you just arguing for the sake of doing so? Do you have any idea how the criminal justice system works in this country? Do you have any idea how investigations take place?

No, I don't, and neither do you -- there is no oversight. For all I (or anyone) know, there may be more crime perpetrated by cops/FBI/informants/... in an attempt to convict a small number of criminals than by criminals who end up getting caught.

If the FBI just took the site down the carders would move else where.

That will likely take time, and criminals will lose data in the process, expose themselves to some real undercover cops, etc. Certainly it will decrease the total amount of fraud even if slightly smaller number of people will end up being convicted.

Back before the internet was big, I used to know people who swapped codes over voicemail systems. What do you think happened when a compromised system got shut down? Everyone just jumped to another one.

Voicemail? Really? It would be easier to swap codes by carrier pigeons than by voicemail.

Collecting enough evidence to prosecute involves long term investigation. I doubt that the admins of the carding sites are keeping detailed transaction logs for the Feds to pour through. Therefore the Feds have to setup their own site to get enough evidence to tie the codes to the person providing them.

So just to have a satisfaction of "nabbing" a couple of guys it's OK to dedicate public resources to defrauding thousands of innocent people with no recourse to those victims? I am sure, you will be happy to know that if was FBI and not criminals who spread your ID/cards/bank account information through such a system when you'll end up broke, unemployed and with a couple of outstanding warrants for your arrest in states where you never been.

It's one thing when undercover cops join robbers to arrest them after a bank robbery. It still kinda make sense when cops get involved in multiple crimes and end up destroying massive criminal organizations, though considering how widespread is organized crime I am not convinced that it actually works that well. But when they run some continuing "operation" for months and years, with not even slightest hope to stop any noticeable percentage of criminals involved (most are unidentifiable or foreign), end up throwing a book at few skr1pt kiddies and fraudsters, leaving the rest alone, how does it balance with plenty of crime that would be hindered if their "sting" site did not exist?

Since you've suggested that the Feds should just take down the sites themselves, please tell me how that would achieve anything more than a temporary disruption in the system?

By constantly creating "temporary disruptions", so there will be less crime. Not all problems have easy and permanent solutions, certainly not crime in general and fraud in particular.

How would that lead to prosecutions?

See above -- when site goes down, criminals have more chances to expose themselves in the process of organizing another one. However the fundamental problem is, why should we (the society as a whole) care about prosecutions? We should care about having less crime, and with the numbers of people involved in computer-assisted fraud, their lack of hierarchy and low rate of successful prosecution, how does it solve that problem -- or any problem?

Re:Why didn't the FBI do the disruption?

[dave562]

No, I don't, and neither do you -- there is no oversight. For all I (or anyone) know, there may be more crime perpetrated by cops/FBI/informants/... in an attempt to convict a small number of criminals than by criminals who end up getting caught.

You've been watching too many movies. I know people who have been prosecuted by the Federal government. I know people who work in law enforcement at both the local/state and Federal level. There are bad cops out there. About a year ago there was a story in the local papers about LAPD and Long Beach PD officers who were robbing drug dealers in fake drug stings and then reselling the drugs. Those things do happen but they are rare. You say that there isn't any oversight but for the most part, there is. There has to be. Just about everything comes out during the trial. There is a reason that the witness protection program exists. People have to come out and lay their cards on the table. The fairy tale of bad cops cheating the system is over rated. My current room mate used to be in the LAPD. He isn't anymore because internal affairs busted his partner for being involved in selling drugs. They didn't believe that he didn't know about it, so he lost his job too. More often than not, the bad apples eventually get rooted out.

Voicemail? Really? It would be easier to swap codes by carrier pigeons than by voicemail.

I shouldn't, but I'll take the bait. Back in the day when "good" internet access was a $1000+ US Robotics 14.4 courier modem connected to a SLIP connection, most of the fraud was still taking place closer to the real world. A voicemail system with a national 800 number was the best way to anonymously swap codes. Even after ANI became wide spread, people just moved to payphones and kept going.

So just to have a satisfaction of "nabbing" a couple of guys it's OK to dedicate public resources to defrauding thousands of innocent people with no recourse to those victims? I am sure, you will be happy to know that if was FBI and not criminals who spread your ID/cards/bank account information through such a system when you'll end up broke, unemployed and with a couple of outstanding warrants for your arrest in states where you never been.

The FBI isn't spreading the information around. They are doing the equivalent of a Man in the Middle attack against the information flow. They are putting a tap into the data stream. I don't have the details of their operation, but I would HIGHLY DOUBT that they put out virgin codes on their own site. More than likely, they just ran the site and monitored the transactions.

Your comment about ending up broke, unemployed and wanted is complete hyperbolic drivel. I've been a victim of fraud three times. Once on my checking account when someone stole a check out of my car. Once due to an online transaction at a shady site. And once via a compromised credit card (probably POS related but it was never determined where the breach occured). All three times my total out of pocket expense was $0. My credit rating is in the high 700s. I have access to close to $50,000 of unsecured credit. Fraud hasn't ruined me. It is so common and prevalent that financial institutions have procedures in place to deal with it. The only person who gets screwed by the fraud is the merchant who loses the goods. More often than not, even they have insurance to cover those losses.

It's one thing when undercover cops join robbers to arrest them after a bank robbery. It still kinda make sense when cops get involved in multiple crimes and end up destroying massive criminal organizations, though considering how widespread is organized crime I am not convinced that it actually works that well. But when they run some continuing "operation" for months and years, with not even slightest hope to stop any noticeable percentage of criminals involved (most are unidentifiable or foreign), end up throwing a book at few skr1pt kiddies and fraudsters, leaving the rest alone, how does it balance with

Re:Why didn't the FBI do the disruption?

[Alex+Belits]

You've been watching too many movies. I know people who have been prosecuted by the Federal government. I know people who work in law enforcement at both the local/state and Federal level. There are bad cops out there.

"Bad cops" have absolutely nothing to do with this. I am talking about system working exactly as designed, and still ending up doing more harm than good because of misplaced priorities. Corruption and intentional abuse are the whole additional level that for the purpose of this discussion we can ignore.

I shouldn't, but I'll take the bait. Back in the day when "good" internet access was a $1000+ US Robotics 14.4 courier modem connected to a SLIP connection, most of the fraud was still taking place closer to the real world. A voicemail system with a national 800 number was the best way to anonymously swap codes. Even after ANI became wide spread, people just moved to payphones and kept going.

It doesn't matter -- voice mail records voice. Voice is not efficient for passing around numbers, unless they are short, and people have limited time. Voice mail is even less so because of distortion.

Fraud hasn't ruined me. It is so common and prevalent that financial institutions have procedures in place to deal with it. The only person who gets screwed by the fraud is the merchant who loses the goods. More often than not, even they have insurance to cover those losses.

Assault and robbery didn't leave me broke and crippled, either, yet it doesn't mean that it always works like that.

You have to realize that the crime they are dealing with, on the scale they are dealing with it, is new. I don't know how long you've been involved in the computer underground. I've been involved on one level or another since 1991, right after Operation Sundevil. When I got involved, we couldn't even have dreamed of fraud on the scale that it is currently taking place. Everyone was separated into their own little niches. The fraud was taking place on a much smaller scale. The idea of getting legit looking bank cards from Russia would have been a wet dream. The idea of doing it from east bumblefuck no where with the convenience of a DSL line was fairy tale stuff. It was hard enough to get good numbers and plastic in the middle of a major urban metropolis like Los Angeles. Forget about going online to any sort of one stop shop.

Then maybe when it was on a small scale it made sense. On the scale it happens now, it's completely inappropriate -- a criminal has better chance to be hit by a bus than to be convicted as a result of such a "sting", so why would he care? People don't commit crimes because they think, it's safer than a legitimate job, they accept or ignore the risk.

I'm going to suggest that you're working with a false premise. Creating temporary disruptions in the world of computer aided financial fraud is the digital equivalent of busting crack dealers on the corner. You aren't any closer to stemming the supply, you aren't addressing the underlying problems, and you're wasting resources that could be spent on investigations. On top of it all, there will always be someone else who will step into to the place of whoever you disrupt. There is simply too much money involved to imagine anything else happening.

Crack has to be "supplied" by someone more or less identifiable, however even then it's a losing battle. Financial data will be passed around as long as it is used, and computers will be broken into as long as there are security holes. There are thousand, maybe millions of "suppliers". Hell, when was last time someone I don't trust seen my credit card? Today a cashier in a store where I have bought groceries? Have I checked who issued certificate for my bank's web site? And that's me, a person who actually applies some effort to keep his computers secure.

Exchanging this information is what makes it harder to notice, spread over t

Re:Why didn't the FBI do the disruption?

[dave562]

The entire argument can be summed up by simply stating that crime can never be completely prevented. The best that the law enforcement agencies can ever do is to attempt to keep it from getting completely out of control. The bottom feeders will always be the ones getting caught. 80% of all criminals eventually get busted because they over reach. They cross that invisible threshold where they attract too much attention and they get popped. The majority of the rest who get busted do so because of bad luck or bad social skills... they piss someone off, or someone they interact with gets busted. If the FBI didn't crack down the script kiddies, everyone and their mom would be carding stuff left and right. The equivalent back in the day was cracking down on people using 950s. For a while a few people were phreaking 950s. Then the knowledge got out there and just about everyone was doing it. Most of the 950 companies moved to much longer PIN codes that took too long to crack, but good old Thrifty Tel stuck with the shorter ones. Pretty soon, everyone was using 950-1492. And then one day, the Feds came swooping down and busted everyone. By then most of the smart people had moved onto other things. Law enforcement will always be a couple of steps behind. That is simply the nature of the game. I look at it like this. Either we can have the FBI running one fraud site that they monitor, or we can just give them wholesale license to wiretap everything. Which one do you want? And the answer can't be neither, because you've already said that the FBI and law enforcement needs to be there.. Left to its own devices it will grow higher and higher, so you need someone actually keeping it low. That, in its turn, can be done by actively preventing fraud and making it very risky, so you still need FBI after all. Fraud can't be actively prevented much more than it already is. There aren't enough agents out there to prevent crime. The best that they can do is deter it. At this point in the game, fraud is mitigated. It is absorbed as a cost of doing business and life goes on. It has always been that way for as long as I can remember.

Re:Why didn't the FBI do the disruption?

[Alex+Belits]

The bottom feeders will always be the ones getting caught. 80% of all criminals eventually get busted because they over reach.

You seem to be very concerned about enough criminals being punished, and at the same time you don't care the actual amount of harm that they cause to society. I would rather prefer if no criminal was ever caught, but their schemes were rendered ineffective rather than keeping people getting hurt and then catching some poster boys who "overreached".

Either we can have the FBI running one fraud site that they monitor, or we can just give them wholesale license to wiretap everything.

How so? For all I care they can run an education campaign to make people less vulnerable to obvious fraud, or handing out hardware security tokens to banks by a truckload if those things happen to be more effective than what they are doing now.

Fraud can't be actively prevented much more than it already is. There aren't enough agents out there to prevent crime.

How many agents does it take to turn off the server that they already have?

The best that they can do is deter it.

If committing crime does not make person's life any more risky than not committing it as long as he does not "over reach" some limit, this does not deter much anyway. I can argue that if they can't keep carders from exchanging massive amounts of data, how can they deter them from using it?

Re:Why didn't the FBI do the disruption?

[dave562]

You seem to be very concerned about enough criminals being punished, and at the same time you don't care the actual amount of harm that they cause to society.

If your impression is that I care about enough people punished, you're wrong. My experience has been that a lot of the laws are put into place to protect the slow and weak from the crafty and powerful. Laws don't encourage evolution so much as they protect the status quo. With regards to credit card fraud, I don't care how much "harm" is caused to society. The harm is part of the learning process. When enough "harm" takes place, people will adapt. Until then, they will slog along and suck it up. My belief is the best way to increase innovation and to bring about change involves giving people the inclination to change. So long as the financial sector continues to push the burden of security off onto the consumers and the law enforcement agencies, they will never change.

I would rather prefer if no criminal was ever caught, but their schemes were rendered ineffective rather than keeping people getting hurt and then catching some poster boys who "overreached".

That's nice. You're living in a fantasy world. That has become inherently obvious over the course of this thread. Your entire position seems to be based on some fantasy construct in your mind of how you would like the world to be. Meanwhile I have been putting it out there how things are.

How many agents does it take to turn off the server that they already have?

This argument is going around in circles. I've pointed out multiple times already that the FBI server wasn't the only venue for the fraud to take place. I'm done with this conversation at this point. But I will point this out one more time and give you a real world example. THERE ARE MANY NEARLY IDENTICAL SITES OPERATING THAT FACILITATE THE SAME THING THE FBI SITE DID. I used to courier warez. There were about five BBS' that I would upload to. If one of them was busy, I would upload to another that wasn't. If one of them was run by the FBI, them taking it down wouldn't prevent the warez from being spread around. If people weren't able to download from the FBI board, they would go download from one of the other ones. However, if the FBI had phone logs of me logging into their system and transferring copyrighted software, they could prosecute me and there would be one less person committing phone fraud to swap the fresh no day. Similarly, if the FBI takes down their carding site, the people with the codes will just find a buyer for them on one of the other sites. And just like with my warez BBS example, if the FBI has logs of someone committing financial fraud, they can prosecute that person. Sure, they can't go to Albania or Nigeria to get them, but they can get the people here in America. Just about everything that you've been spouting about the FBI contributing to the problem is baseless, because of the fact that they have to engage in it to deal with it. Just like if the DEA wants to figure out where the drugs are coming from, they have to dip into the drug trade. They have to setup sting operations. You have blown the FBI issue up way beyond proportion, and continue to make your assertions while completely ignoring, and failing to address this simple point that I will reiterate here again. IF THE FBI WASN'T RUNNING A SITE TO CATCH CARDERS, THERE WOULD STILL BE OTHER SITES THROUGH WHICH PEOPLE PASSED THE EXACT SAME INFORMATION THAT THEY TRADED ON THE FBI SITE. Just like if I couldn't upload the latest Razor 1911 release to to BBS1, I would go ahead and put it on BBS2.

I can argue that if they can't keep carders from exchanging massive amounts of data, how can they deter them from using it?

I can point out that you're working on two different logical levels. The carders exchanging the data are often times not the people using the codes. The guy who has the numbers makes his money selling the numbers. Someone else makes their money put

Re:Why didn't the FBI do the disruption?

[Alex+Belits]

With regards to credit card fraud, I don't care how much "harm" is caused to society. The harm is part of the learning process. When enough "harm" takes place, people will adapt. Until then, they will slog along and suck it up. My belief is the best way to increase innovation and to bring about change involves giving people the inclination to change. So long as the financial sector continues to push the burden of security off onto the consumers and the law enforcement agencies, they will never change.

And this is exactly what I am doing -- end-users can't "adapt", but FBI can -- by switching from trying to randomly punish a small percentage of criminals to hindering all of them. With enough disruption their activity will become too unprofitable to justify even small risk, or will be reduced enough so society will be able to write it off as inevitable losses.

That's nice. You're living in a fantasy world. That has become inherently obvious over the course of this thread. Your entire position seems to be based on some fantasy construct in your mind of how you would like the world to be. Meanwhile I have been putting it out there how things are.

It's your assertion that criminals are punished when they "overreach". You completely ignore the harm caused by massive number of them before they "overreach" (or more likely through their whole career) even if each individual crime is insignificant. You think like a cop -- it's important to catch those who commit most noticeable crimes, and ignore everything else. That would work if society was mostly harmed by most blatant criminals, however there is absolutely no evidence that this is true.

IF THE FBI WASN'T RUNNING A SITE TO CATCH CARDERS, THERE WOULD STILL BE OTHER SITES THROUGH WHICH PEOPLE PASSED THE EXACT SAME INFORMATION THAT THEY TRADED ON THE FBI SITE. Just like if I couldn't upload the latest Razor 1911 release to to BBS1, I would go ahead and put it on BBS2.

Great! The "bandwidth" of those sites is limited, so in total there will be a delay, and increased activity will likely expose more criminals.

I can point out that you're working on two different logical levels. The carders exchanging the data are often times not the people using the codes. The guy who has the numbers makes his money selling the numbers. Someone else makes their money putting the numbers onto a card. Another person makes their money actually buying goods with the numbers.

Particular people are not important -- for any real harm to take place, the whole chain has to operate.

The FBI deters people from using the numbers by attaching harsh penalities to using them. In reality, all that they deter are repeat offenders. Most people who spend time in prison don't want to go back.

Harsh penalties don't deter people if they are applied to a very small percentage of people performing the same activity. Worse yet, they encourage more people to remain "under the radar" while causing just as much harm.

It's pretty obvious that you have some deep seated issues and reservations with the way law enforcement works. That's fine, and you're entitled to your beliefs. In a similar manner, you're entitled to live in your fantasy world where crimes can be rendered ineffective and impossible to pull off.

What?

That world will never cross the plane of reality that the rest of us live on. Human beings are simply too creative and too intelligent to ever be completely thwarted or boxed in by other human beings.

Particular "human beings" or "completely thwarting" are not important. Overall reduction of crime is.

For the sake of discussion, I have an idea. What we need to do is to get chipped. We need to allow the financial world and the law enforcement agencies to track our every move. Once they are able to do that, they will b

Max Butler In One Word:

Moron.

Sincerely,
Kilgore Trout

icebreaker

[bugs2squash]

recently operation icebreaker brought down some local meth dealers. I bet the same name had been used for similar stings hundreds of times.

Now operation DarkMarket turns out to be a Fed-run honeypot.

How hard could it be to make a dictionary of likely FBI operation names, or even an application to rank the probability of a domain name being based on operation names that have been used on TV in the past ?

Re:icebreaker

[wjh31]

dark market was the name of the sting website, not neccecerily the operation, how likely are you to hear the name of an operation at a time such that you can know its something related to what you are doing, where would a meth dealer have herd someone say 'operation icebreaker'?

Re:mod parent troll

[be+new+here]

you all must be new here.

Please stop bringing me into this!

Not exactly

[Chmcginn]

Now operation DarkMarket turns out to be a Fed-run honeypot.

Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.

Re:Not exactly

[shentino]

So in other words, the feds confiscated the domain, and when it became federal property, what used to be silly computer trespass became a major felonious assault on a government website.

Kilgore Trout In One Word:

Coward.

Sincerely,
Theodore Sturgeon

Fun with exponents

[Chmcginn]

It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.

Re:Fun with exponents

[Cyberax]

Nope. Effective password alphabet is about 70 characters (26*2+10+punctuation).

You can also assume that passwords are unlikely to have 4 or more consecutive punctuation marks, contain parts of dictionary words, etc.

Re:Fun with exponents

[betterunixthanunix]

Hi! I am a government agency hell bent on figuring out your password. Where do I begin?

1. Go for it, throwing all my CPU time at and trying everything possible
2. Take your keyboard and analyze the wear on each key, so I can tell which letters you are most likely to use and use that to tip the odds in my favor.
3. Review your entire life, looking for clues about how you might try to pick passwords.
4. Some combination of (2) and (3), plus other techniques that would allow me to shave years off of the work of brute forcing the password

Re:Fun with exponents

5. Keylogger

Re:Fun with exponents

[ld+a,b]

6. Asking you nicely in a closed room with no cameras laced with references to a one way trip to Cuba.

Re:Fun with exponents

[ion.simon.c]

6. Asking you nicely in a closed room with no cameras laced with references to a one way trip to Cuba.

Film at 11:
http://www.youtube.com/watch?v=lB_Hl4bcQNc

Re:Fun with exponents

[Richard_at_work]

Only if you throw the same amount of hardware at it each time...

Re:Fun with exponents

[jeff4747]

7. Use a FISA warrant to install a keylogger.

Re:Fun with exponents

[Hillgiant]

7. (see 5.)

Fixed that for ya.

Re:Fun with exponents

[lord+sibn]

This is why I assume that passwords are a flawed method of authentication (seriously, 11 characters is a lot to have to type!) all for five minutes of security. I just use the same password everywhere: 12345.

Re:Fun with exponents

[Nethead]

Hey! That's the one I use on my luggage!

Re:Fun with exponents

[Chmcginn]

Nope. Effective password alphabet is about 70 characters (26*2+10+punctuation).

Yeah, for some reason I was going with 60 instead of 76.

You can also assume that passwords are unlikely to have 4 or more consecutive punctuation marks, contain parts of dictionary words, etc.

If you're using a 20-character password, having a dictionary word mixed in with a pile of random punctuation (or even interspursed throughout a pile of punctuation) is a perfectly secure password method.

While 123456789icecream might be fairly suspectible to a dictionary attack, 1i@3ce$%6cre&*(0am would be (almost) as easy to remember, and would take most brute-force attacks rather longer.

It just goes to show

[alexborges]

That if you are an enemy of the Mafia, you are an enemy of the state.

Re:Decimate

[TheoMurpse]

Yeah, the past 400 years of usage of "decimate" have really indicated that the word only means "take away 10%." http://www.etymonline.com/index.php?search=decimate&searchmode=none

Obsession

[BountyX]

Hacking is an obsession and an addiction. It can easily take over your life, especially if you are good at it. Finding your next target is like getting in your next fix. It offers the ultimate escape, diversion and self-esteem. In a sense, it is a power trip. The kind of rush you expirience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined. It adds a new dimension to an otherwise mundane and seemingly predictable reality. Some perspective ;)

Re:Obsession

[mkiwi]

So you mean it's like World of Warcraft? :-)

Re:Obsession

For some, it is a rush better than sex and drugs combined

For most, they'd never have the data to compare.

Re:Obsession

[Dan667]

I just fly pretend spaceships and pew pew on a MMO. As a perk, no jail time if my wife catches me.

Re:Obsession

[Jonboy+X]

The kind of rush you expirience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined.

Interesting, but are we talking Scarlett Johansson and coke, or Roseanne and Robitussin here?

Re:Obsession

[Jedi+Alec]

Vexors at dawn, good sir!

Re:Obsession

[Patrik_AKA_RedX]

As a perk, no jail time if my wife catches me

You have serious relationship problems. I'm sure my wife wouldn't turn me in for my illegal activities.

Re:Obsession

[Dan667]

Uh, MMO playing is not illegal. It was a funny.

Re:Obsession

[ELProphet]

Climbing is an obsession and an addiction. It can easily take over your life, especially if you are good at it. Finding your next route is like getting in your next fix. It offers the ultimate escape, diversion and self-esteem. In a sense, it is a power trip. The kind of rush you experience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined. It adds a new dimension to an otherwise mundane and seemingly predictable reality. Some perspective ;)

Hunting is an obsession and an addiction. It can easily take over your life, especially if you are good at it. Finding your next deer is like getting in your next fix. It offers the ultimate escape, diversion and self-esteem. In a sense, it is a power trip. The kind of rush you experience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined. It adds a new dimension to an otherwise mundane and seemingly predictable reality. Some perspective

Running is an obsession and an addiction. [...] Finding your next route is like getting in your next fix. [...] Some perspective

Fly fishing is an obsession and an addiction. Finding your next hole is like getting in your next fix. [...] Some perspective

Skiing is an obsession and an addiction. Finding your next hill is like getting in your next fix. [...] Some perspective

Shall I continue?

Re:Obsession

No, he said "hacking" not "mining".

Re:Obsession

I think his point was that you implied that if you were doing something illegal, she might.

Recurring theme

Muhammad (yeah, that one) once had an epiphany, guided to him, at least in theory by the archangel Gabriel and he took this idea to the Hebrews; "I understand you! Better yet, I can improve on what you're doing!" was generally the idea.

They laughed at him, and the world has seen Semites (both Arabs and Israelis) fight to the death since then.

Hitler had ambition to become a painter of great works. He felt he had something to say in the art world, and at some point tucked his paintings under his arm and went to Vienna to show them off. "I understand you- better yet, share in my furthering works!" was the general idea.

More than 150 MILLION people died in the eventual Darwin-inspired war that followed. But to his credit, anyplace Darwin's suggestions are instituted, slavery and genocide are permitted.

It's not surprising that a hacker who doesn't fit in, ridiculed by authority figures can do great harm. Ya see, PRIDE is mankind's downfall.

Pride can be constructive; it makes us work hard and commits us to great works. But pride in it's extreme makes us do horrific things too- murders, shooting sprees and war. The Columbine killers wanted to leave a big story- make a big splash...for their pride.

Satan's favorite tool is pride. With it, a person won't accept there can even BE a God! "Surely I'm too smart for that boring crap" and the man never lifts a finger to answer the eternal question.

Be careful with your pride, aye?

Re:Recurring theme

[JohnnyComeLately]

What's that old saying, "pride comes before a great fall."

Scorn is usually a bad thing anyway. Just because you don't agree or understand something doesn't mean you should react negatively. This is why I believe it's difficult to have meaningful discussions with people on the extremes, such as liberals. Don't like gay marriage? HATE MONGER!! All too often people resort to insults rather than intellect. I guess because it's easier and there's no accountability. How do you prove you're not a "Hate Monger"? Lack of evidence is evidence.

Re:Recurring theme

[neomunk]

I think, by declaring liberals as extremists, you pretty well defined hypocrisy with your post.

You use your first 2 sentences to denounce up a type of behavior, and then engage in that very behavior in the very next sentence, you didn't even break for paragraph. Thank you for your demonstration, it may even cover cognitive dissonance as well as hypocrisy.

You know damn well that not all (not even most, and you KNOW it) liberals are extremists like that. On top of that you know (you KNOW) that there are conservatives just as extreme. Stop pretending to be on the only rational side. You'll find idiots and assholes wherever you look, especially if you go hunting for idiots and assholes.

Re:Recurring theme

Right, because "liberal" is an extreme.

I'm going to wager that you're an extreme like "conservative".

Seriously, this discussion has little to do with the topic at hand, and has everything to do with you waving your e-peen around in some political pissing match because you feel the need to bring this to light.

Bad examples are bad.

This is *not* insightful, and quite possibly a really good troll.

Re:mod parent troll

Its funny because people like Timecop probably really do believe they're doing something. Meanwhile, mimes continue to contribute more to society.

You can run Windows from a live CD

[Sits]

If you run Windows PE you can run it from a CD. Also there's the chance they are using a USB flash drive/USB hard disk and running Windows from that...

You're on your own with respect to the fingerprints though. Can't even being to explain that...

Red and Yellow Hats

[billstewart]

The Yellow Hat sect of Tibetan Buddhism is the school that the Dalai Lama and Panchen Lama belong to, as opposed to the Nyingma or Red Hat sect which is the school that the Karmapa Lama belongs to.

And if anybody wants you to install a piece of distributed computing software that needs you to install Tibetan fonts and nine gigabytes of RAM on your computer, do be careful...

Re:Red and Yellow Hats

[adminstring]

This is what would happen, according to a classic sci-fi story by Arthur C. Clarke.

Here's the FBI's own press release...

[Klootzak]

Because I don't trust wired.com much... I did a quick search for data on Max Butler from the source: The Department of Justice's own press release on this is dated 9/11/2007.

New Technology--Same Old Story

[MarkvW]

The criminal's accomplices shopped him. That, plus evidence of the public market that he created, was more than enough for a search warrant.

Once again . . . there is no honor among thieves. We should all be grateful for that.

I hope that the Feds launch that guy into the stratosphere.

More about Rijndael...

Interesting fact about Rijndael -- it has a very simple structure: it's "light" but perfectly* strong, as far as extant knowledge goes. (*"Perfectly" in the sense that there is no extant way to break it apart from brute force.) However, its simplicity has led some to consider it "not the most secure choice." Makes you wonder if there *is* a government farm that can crack it now!

Re:More about Rijndael...

[Abcd1234]

However, its simplicity has led some to consider it "not the most secure choice." Makes you wonder if there *is* a government farm that can crack it now!

Did you actually fully read and comprehend that post. To quote:

I believe that within the next five years someone will discover an academic attack against Rijndael. I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic.

In other words, while someone may find an attack that would allow one to break the cipher in less time than pure brute force, he doesn't believe that any such attack will actually be feasible to execute.

Re:mod parent troll

[mollymoo]

do the moderators even know who timecop is?

Perhaps they do, but they actually like Jean-Claude Van Damme. Some people are weird like that.

Re:Very unfair image

[Frosty+Piss]

Max is/was/will always be a guy who stole identities and money other people, in many cases making their lives living Hell. You can toot all you want about the evil FBI, but fact of the matter is that Max is a thief who took things that didn't belong to him.

not really...

[darjen]

the largest crime forum in the world

I think this dubious honor belongs to the US government.

Re:not really...

[coolsnowmen]

How is this modded insightful over flamebait?! (maybe funny) There is not a chance that is accurate by any standards I know of (if so, please tell me the criteria).

The African governments are so corrupt, that there is a prize given every year to the least corrupt leader (straight to him!).
http://news.bbc.co.uk/2/hi/africa/7679391.stm

Re:Very unfair image

[registered_after_8_y]

Yes, I for one applause that he had the guts to steal from the thiefs..too bad that the goverment does not like getting robbed.

Heh

[Hecatonchires]

Your name made me laugh. Thank you.

You are all clueless

Yes, you wouldn't even DARE to use a password or passphrase. You'd generate a strong key.

The only thing safe is using a onetimepad (xor) encryption, since it is really UNBREAKABLE, as long as the key is as long as the message.

You just gotta hide that well or encrypt it addtionally with various layers of other ciphers.

I would carry that key around with me all the time, and hide it somewhere in huge amounts of data. Like offset 87978978971231 of a certain drive's raw data. And I'd put a self destruction device next to it.

Hi Max!

Thanks for your comment.

Re:Very unfair image

You are a fucking brain-dead moron.

Capture or hire the black hats?

[troll8901]

Is it better to capture or hire the black hats?

I always wondered.

And should I equip myself with, um, l33t haxx0r (read: script kiddie) skillz, just for my own, um, protection?

Re:Capture or hire the black hats?

[Alex+Belits]

No. When someone discovers security holes, every user will have to rely on the free market to get his security patches from white hats before getting his computers broken into, or to pay ransom to black hats after that.

(Welcome to Libertopia)

Improve your '+1-Funny' mileage on /.

[rts008]

Hah! I see what you are trying to do here!

Almost fiendishly clever, you rascal!

*hint*
That would work far more often if your /. user name was just 'new here'. Think about it, or not. :-)

*runs off to patent office*

P.S. As my dear departed dad would say, "Smooth move, Ex-Lax"!"

All in fun, pay no attention to me...this is NOT an attack on your post, and my karma can withstand humour impaired mod's...I laugh with you, not at you!-If I had mod points, I would give you '+1 funny' just for your user name in this instance. (as you had planned on happening-well done!)

Re:Improve your '+1-Funny' mileage on /.

That would work far more often if your /. user name was just 'new here'. Think about it, or not. :-)

Already been done: New Here

Re:Very unfair image

[plnix0]

Max is/was/will always be a guy who stole identities and money other people, in many cases making their lives living Hell. You can toot all you want about the evil FBI, but fact of the matter is that Max is a thief who took things that didn't belong to him.

You could say that about everyone in government.

Sigh.

I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.

What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!

Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.

He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.

My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.

From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.

Have fun!

Re:Very unfair image

Man, get with the times. As others should point out, this isn't identity theft, it's identity infringement. If I download your identity, you aren't deprived of it! It's like a fire that isn't diminished when another person takes a burning brand!

Oh, this isn't like downloading a song? I'm confused here.... Please, Slashdot, tell me what to think!

Re:Very unfair image

Max is/was/will always be a guy who stole identities and money other people, in many cases making their lives living Hell. You can toot all you want about the evil FBI, but fact of the matter is that Max is a thief who took things that didn't belong to him.

Different than thieves who take things that belong to them.

Rainbow tables

[bruce_the_loon]

I doubt they brute-forced the FDE, just the pass phrase to the key cert/ring.

I'll lay good money that the NSA/FBI have a full set of rainbow tables for any hash currently used for passphrases. Takes major CPU to generate, but once you've got it, it takes a very short time to find your way in.

Hell, Passware has an online site that can discover passwords for Office docs in seconds.

a painful read ..

[rs232]

The inside story .. from the school of very bad faction ..

"The heat in Max Butler's safe house was nearly unbearable .. The electric bill was so high that the apartment manager suspected Butler of operating a hydroponic dope farm"

'This story, like the rest of this article, has been reconstructed using court documents and conversations with friends and associates; Butler declined to be interviewed'

In the hands of a competent author, this style can contribute something to the story. In the hands of lesser writers, it's painful to try and read ..

wha ???

[rs232]

"Christopher Aragon had recently run an Orange County leasing company .. Butler gave him a shopping list of equipment he'd need to get started, including a new laptop, military-grade crypto, and an antenna"

The worlds greatest hacker asks a truck leaser for 'military-grade' crypto .. enough from the school-of-bad-journalism ..

Is this the same Kevin Poulsen that Adrian Lamo ran into ..

that doesn't count

[gosand]

There's a huge difference between criticism and ridicule. To be frank, most of us went through that kind of stuff growing up. Very few of us turned out anti-social.

Social networking sites don't count.

But hey, I'm anti-social, I don't care about most people in general. I hate small talk, I am not really interested in what other people do, or what their favorite sports team is, or what cute thing their kid said. I don't expect them to be interested in what mine said. I don't high-five strangers, or anyone for that matter.

I don't think it's a bad thing.

Re:Very unfair image

Errr.. surely credit card fraud only actually defrauds the card companies themselves and not the individuals who own the cards?

Re:Very unfair image

Eh, everyone breaks laws. There are no exceptions. Jacking money from a bank and inconveniencing somebody is pretty white-collar. His crime will get him a serious sentence only because it was commited against banks.

Also not exactly

[Chmcginn]

So in other words, the feds confiscated the domain, and when it became federal property, what used to be silly computer trespass became a major felonious assault on a government website.

It was an admin, not the owner, that was compromised.

Re:mod parent troll

[RockWolf]

No, He's New Here.