Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Hacker's Audacious Plan To Rule the Underground

Posted by ScuttleMonkey on from the ambition-can-carry-you-just-so-far dept.

An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."

16 of 313 comments (clear)

  1. "Former white hat"? by EmbeddedJanitor · · Score: 5, Interesting

    Sounds like he was always a black hat but just didn't cause enough problems while he still had his training wheels on.

    --
    Engineering is the art of compromise.
  2. Catching Max Butler by Arancaytar · · Score: 1, Interesting

    I'm assuming this is a pseudonym? Or is he hiding abroad? Because if his real name is known, he can't be that hard to catch...

  3. Rather interesting line at end of article... by GPLDAN · · Score: 5, Interesting

    Months later, Aragon's lawyer gave him some bad news. The Secret Service had cracked Butler's crypto and knew more about the hacker than Aragon didâ"which meant Aragon would probably never be offered a deal, even if he wanted one.

    The USS cracked the Whole Disk Encryption of Max Butler.

    Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?

    No, I didn't think so either.

    So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?

    I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.

    1. Re:Rather interesting line at end of article... by Anonymous Coward · · Score: 5, Interesting

      The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text before any significant progress could be made on decrypting it, while Blowfish has "no known way to break".
      So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.

      Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)

    2. Re:Rather interesting line at end of article... by Anonymous Coward · · Score: 1, Interesting

      Not really. When I was a kid I had a simple cheepo safe for my goods. It wasn't safe from the worlds best safe crackers or even a 20 pound sledge hammer, but it was good enough to keep my brothers hands off. Encryption is like that too. Sometimes your valuables aren't that valuable, and you just want to make it difficult enough to keep out amateurs.

    3. Re:Rather interesting line at end of article... by StikyPad · · Score: 3, Interesting

      That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).

      --
      https://www.eff.org/https-everywhere
    4. Re:Rather interesting line at end of article... by Cyberax · · Score: 2, Interesting

      Nope, it's not. It's actually a horrible passphrase, since it contains only dictionary words.

    5. Re:Rather interesting line at end of article... by Bender0x7D1 · · Score: 3, Interesting

      I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

      You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.

      Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)

      Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  4. Not exactly by Chmcginn · · Score: 4, Interesting

    Now operation DarkMarket turns out to be a Fed-run honeypot.

    Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.

    --
    Have you been touched by his noodly appendage?
  5. Fun with exponents by Chmcginn · · Score: 4, Interesting

    It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

    If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.

    --
    Have you been touched by his noodly appendage?
  6. Re:Article? by dave562 · · Score: 3, Interesting

    The article is a work of fiction because the actual details weren't available. The author states at the beginning that the details were recreated from court documents. Given that Poulsen himself is a hacker, it is pretty safe to assume that he guessed pretty closely on the details. There are only so many ways to bust into a web server, and SQL injection along with compromised passwords seems likely enough. As for what he did after he had access, what is so fictional about that? He dumped the data and dropped all of the tables. Ooooo, big stretch of imagination there. We're talking about a serious blend of fantasy and sci-fi right there.

  7. Re:Honest money by Weaselmancer · · Score: 2, Interesting

    Two things, AC.

    1) You can't prove you're right any more than he can.

    2) Regardless of who is right, his final thoughts as he leaves this world will be more pleasant than yours.

    --
    Weaselmancer
    rediculous.
  8. Re:My Ambition by Anthony_Cargile · · Score: 4, Interesting
    I get sick of explaining this, but the sig (which could not completely fit because of /.) is supposed to infinitely loop like that. I'm fully aware that getch() is only found in DOS's conio.h (and the ncurses lib), but even The C Programming Language references it, without providing the code for it (or even a header inclusion, for that matter). The full code snippet (forgive me, mods) is this:

    void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key

    And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.

    Now can we move on? (And if thats you, peter, then you obviously are new here).

  9. Sigh. by Anonymous Coward · · Score: 4, Interesting

    I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.

    What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!

    Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.

    He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.

    My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.

    From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.

    Have fun!

  10. Re:Article? by oasisbob · · Score: 3, Interesting

    Forget Doctors, even designers and typographers care about inaccuracies in popular media.

    Check out this article about anachronistic fonts in movies.

    People are weird: we seem to care about just about everything.

  11. Re:Article? by FishAdmin · · Score: 2, Interesting
    I was with you right up to this point:

    "awful" only means "deserving of awe,"

    Now I have to be an etymology Nazi, and point some things out: When awful first came into our language (approx. 885AD, attributed to Alfred the Great), awe was an Anglo-Saxon word meaning "fear, dread, terror" (Oxford English Dictionary). At that point, awful DID mean "full of awe", but in the sense of "full of fear; full of dread".

    It was much later (16th Century) that the word awesome came into being, and the word awe had changed to mean "dread mingled with veneration; reverential or respectful fear", mostly due to it's association with the God of the Bible.

    So, you were correct in words changing meaning, but it was the word awe that had evolved, not the actual word awful.

    /Nazi

    --
    Last night I played a blank tape at full volume. The mime next door went nuts.