Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Hacker's Audacious Plan To Rule the Underground

Posted by ScuttleMonkey on from the ambition-can-carry-you-just-so-far dept.

An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."

7 of 313 comments (clear)

  1. "Former white hat"? by EmbeddedJanitor · · Score: 5, Interesting

    Sounds like he was always a black hat but just didn't cause enough problems while he still had his training wheels on.

    --
    Engineering is the art of compromise.
  2. Rather interesting line at end of article... by GPLDAN · · Score: 5, Interesting

    Months later, Aragon's lawyer gave him some bad news. The Secret Service had cracked Butler's crypto and knew more about the hacker than Aragon didâ"which meant Aragon would probably never be offered a deal, even if he wanted one.

    The USS cracked the Whole Disk Encryption of Max Butler.

    Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?

    No, I didn't think so either.

    So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?

    I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.

    1. Re:Rather interesting line at end of article... by Anonymous Coward · · Score: 5, Interesting

      The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text before any significant progress could be made on decrypting it, while Blowfish has "no known way to break".
      So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.

      Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)

  3. Not exactly by Chmcginn · · Score: 4, Interesting

    Now operation DarkMarket turns out to be a Fed-run honeypot.

    Not exactly true. One of the admins was compromised after an arrest, and rather than shutting it down, they kept it running for a bit longer, planning on setting up big buyers for eventual busts.

    --
    Have you been touched by his noodly appendage?
  4. Fun with exponents by Chmcginn · · Score: 4, Interesting

    It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

    If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.

    --
    Have you been touched by his noodly appendage?
  5. Re:My Ambition by Anthony_Cargile · · Score: 4, Interesting
    I get sick of explaining this, but the sig (which could not completely fit because of /.) is supposed to infinitely loop like that. I'm fully aware that getch() is only found in DOS's conio.h (and the ncurses lib), but even The C Programming Language references it, without providing the code for it (or even a header inclusion, for that matter). The full code snippet (forgive me, mods) is this:

    void PAUSE(){ printf("\nPress any key to continue. . ."); while(1) getch(); } // enforce the 'any' key

    And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.

    Now can we move on? (And if thats you, peter, then you obviously are new here).

  6. Sigh. by Anonymous Coward · · Score: 4, Interesting

    I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.

    What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!

    Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.

    He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.

    My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.

    From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.

    Have fun!