Slashdot Mirror
A Hacker's Audacious Plan To Rule the Underground
An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."
"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."
This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".
The way I figure it all the effort that goes into making big money doing crime would be better used in the 'real' world.
I live in the ghetto and the skills required to sell drugs/weapons can be easily transferred to the business world rather easily and the income is higher.
Honest money allows me to sleep at night and at the end of this train ride, the books will be balanced and that man in the sky will do the accounting and even it all out.
It wasn't that this guy was whacking other underground sites, it's that he also nailed the FBI's "sting" website. The FBI and him engaged in a turf war, because if there's one thing the government hates, it's stealing. It hates competition.
#fuckbeta #iamslashdot #dicemustdie
I must be new here, because it's difficult for me to believe that you didn't RTFA!
He's in a prison in Pennsylvania playing D&D while awaiting his trial.
It could also be that the gov't has farms built for the purpose of cracking encryption. This guy was clealy high on their list, so it was worth the CPU time to crack. Just a guess.
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
The main problem with encryption now is that you can't remember good enough keys anymore.
It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.
If the encryption isn't government-farm proof then it's kind of worthless as encryption.
>
The obvious question: why didn't the FBI do this rather than set-up a honeypot site?
Police and prosecutors are rewarded based on the number of arrests and convictions, and not necessarily on reduction in crime?
Don't blame me, I voted for Baltar.
Hacking is an obsession and an addiction. It can easily take over your life, especially if you are good at it. Finding your next target is like getting in your next fix. It offers the ultimate escape, diversion and self-esteem. In a sense, it is a power trip. The kind of rush you expirience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined. It adds a new dimension to an otherwise mundane and seemingly predictable reality. Some perspective ;)
Trying to install linux on my microwave, but keep getting a kernel panic...
Muhammad (yeah, that one) once had an epiphany, guided to him, at least in theory by the archangel Gabriel and he took this idea to the Hebrews; "I understand you! Better yet, I can improve on what you're doing!" was generally the idea.
They laughed at him, and the world has seen Semites (both Arabs and Israelis) fight to the death since then.
Hitler had ambition to become a painter of great works. He felt he had something to say in the art world, and at some point tucked his paintings under his arm and went to Vienna to show them off. "I understand you- better yet, share in my furthering works!" was the general idea.
More than 150 MILLION people died in the eventual Darwin-inspired war that followed. But to his credit, anyplace Darwin's suggestions are instituted, slavery and genocide are permitted.
It's not surprising that a hacker who doesn't fit in, ridiculed by authority figures can do great harm. Ya see, PRIDE is mankind's downfall.
Pride can be constructive; it makes us work hard and commits us to great works. But pride in it's extreme makes us do horrific things too- murders, shooting sprees and war. The Columbine killers wanted to leave a big story- make a big splash...for their pride.
Satan's favorite tool is pride. With it, a person won't accept there can even BE a God! "Surely I'm too smart for that boring crap" and the man never lifts a finger to answer the eternal question.
Be careful with your pride, aye?
The criminal's accomplices shopped him. That, plus evidence of the public market that he created, was more than enough for a search warrant.
Once again . . . there is no honor among thieves. We should all be grateful for that.
I hope that the Feds launch that guy into the stratosphere.
Not at all. The final value of this carders hoard of unused dumps was estimated to be in the range of 500 million dollars (at least according to the article) and the USSS was involved along with the FBI in an attempt to shut down the largest consolidated carder site ever assembled by one person. As other posters have pointed out, analysis of keyboard wear (assuming that Mr. Butler didn't have the foresight to regularly change his physical keyboard) might have assisted the effort greatly (yielding a success before all or even most of the possible key space had been exhausted). The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary. The United States, as one of the reigning superpowers of the world, has a vast amount of money and resources at it's disposal (we spend more then 500 million dollars in Iraq every week). Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem. The article mentions a time frame of serveral months to years (and the trial probably went on for a couple of years) which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace. Fortunately, for most of us, our data is not worth 500 million dollars and so no great effort will made to brute force our FDE keys in the event that our laptops are lost or stolen. Even the resources of the largest governments are finite after all and no protection, even the strongest encryption, is infinite, but that doesn't make FDE useless.
There's a huge difference between criticism and ridicule. To be frank, most of us went through that kind of stuff growing up. Very few of us turned out anti-social.
Max is/was/will always be a guy who stole identities and money other people, in many cases making their lives living Hell. You can toot all you want about the evil FBI, but fact of the matter is that Max is a thief who took things that didn't belong to him.
If you want news from today, you have to come back tomorrow.
I think this dubious honor belongs to the US government.
What a load of hogwash!
analysis of keyboard wear [...] might have assisted the effort greatly
No. It would not. It's pretty simple. How many times do you type your password vs. how many times do you type some other word? Try doing some computer simulations if you don't believe me. The data will be lost in noise.
The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary.
No. The point is to take advantage of math problems that are asymmetrically hard to solve.
The goal is to create the largest force multiplier you can. This is how crypto differs from regular security.
The perfect cipher would be simple enough for a human to compute readily on a single piece of paper while resisting the brute forcing efforts of a computer built using every atom on earth, clocked at one terahertz and running since the beginning of the universe. It's a issue of scale. The "force multiplier" effect avaible from crypto is greater than anything in the physical security world. Imagine instead that instead of working with of E = MC^2, you were working with E = C*2^M. See how it's different? The work required to brute force a key baloons very quickly.
Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.
No, actually that's not a certainty.
In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.
If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.
which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace.
BASED ON WHAT? Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources? Why not milliseconds? Why not millenia?
You have NO IDEA, what a reasonable time scale would be and you're just talking out your ass here.
I suppose some my consider me rude for point that out, but there are those of us who find people randomly making things up to support their argument to be rude.
Life is too short to proofread.
"We did give Saddam Hussein the key to the city of Detroit."
He was once an ally, but that is irrelevant because it was not done by the NSA.
"How'd that Vietnam war ever turn out?"
From a military perspective, we were winning prior to the pull-out. We left because of eroded support for the war among the American public.
"How are things in Iran these days?"
You are 1 for 3, things are bad in Iran. But, as with the key to Detroit, this was not an NSA action.
"No the US would never shortsightedly adopt a policy against its own interests, especially with regard to cryptography." The laws surround cryptography are not passed by the NSA, they are passed by congressmen with little to no understanding of the field or how it works. Export restrictions on cryptography have nothing to do with the NSA, in fact, the NSA operates under the assumption that regardless of export law, publicly available cryptography systems will escape US borders. The idea that a cipher itself must be kept secret is beyond outdated; in fact, it is an idea that was dropped centuries ago, when the Kama Sutra cipher was published. While the NSA has, in the past, kept the nature of the ciphers used for SECRET and TOP SECRET level documents classified, this is no longer the case; AES represents a departure from that position.
AES is a mandatory standard for SECRET and TOP SECRET communications. This goes beyond the NSA, to every branch of the government. If the NSA had deliberately inserted a back door into AES, it would open the possibility of a foreign power deciphering high security communication within the US government. If you do not trust the NSA -- which hires expert cryptographers and security researchers -- to make good decisions about the security of the USA, then you might as well leave now for your own protection.
Of course, you do trust the NSA, and I notice that you never questioned my assertion about the DES S-boxes or anything relevant to actual cryptography. Another example would be the revision of SHA-0 to SHA-1 by the NSA; SHA-1 is more resistant to collision attacks than SHA-0. You do not seem to be interested in questioning whether or not the NSA introduced a weakness of some kind into SHA-1 or SHA-2. I agree that congress has a habit of passing stupid laws when it comes to cryptography, but to claim that this implies that the NSA has been trying to sabotage national security just screams of tin foil.
Palm trees and 8
Any-key-humor was slightly funny twenty years ago when Homer Simpson couldn't find the Any key.
``Press any key'' unambiguously means that any keyboard input is acceptable.
The real point of the humor is that users (who are native English speakers) get so acustomed to grammatically-gutted error messages which lack proper capitalization, punctuation and the use of articles like "a" and "the", that they no longer parse ``press any key'' in the obvious way. It's a computer message so there must be article missing, right? The user has come to believe that the computer is a Russian immigrant.
The lesson from Any Key humor is that text presented to the user should be recognized as grammatic by a native speaker of the user interface language in which it is written, and it should follow the proper orthographic conventions used in the written version of that language.
A prank program that doesn't allow the user to continue because he hasn't pressed the nonexistent Any key is not funny. The victim won't get the joke; it just looks like something has frozen, which is indistinguishable from routine behavior of a computer running DOS and Windows.
This may be slightly better:
unsigned int i = 0;
for (;;i++) { /* nonportable character-at-a-time input */ ... any ... key ... and just to press!\n");
getch();
switch (i) {
case 5:
printf("please, i asking, to press any key!\n");
break;
case 8:
printf("!!?? it is still not any key, what now you did!\n");
break;
case 10:
printf("No no no! user to find
break;
case 15:
printf("it is in afghanistan keypad on standard soviet keyboard.\n");
break;
case 20:
printf("will not continue until any key. understand? discussion end.\n");
break;
}
}