Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Iceman' Gets 13 Years For 2nd Hacking Offense

Posted by ScuttleMonkey on from the too-ambitious dept.

Hugh Pickens writes "Computerworld reports that Max Ray Butler, who used the hacker pseudonym Iceman, has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers, the longest known sentence ever handed down for hacking charges. This isn't Butler's first time facing a federal hacking sentence. After a promising start as a security consultant who did volunteer work for the FBI, Butler was arrested for writing malicious software that installed a back-door program on computers — including some on federal government networks — that were susceptible to a security hole. Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release. In desperation, he turned again to cybercrime and by the time of his arrest in September 2007, he had built the largest marketplace for stolen credit and debit card information in the world."

45 of 289 comments (clear)

  1. long term sentence by girlintraining · · Score: 4, Insightful

    And lesson we've all learned today, class? Don't crap in your own backyard.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:long term sentence by kestasjk · · Score: 2, Insightful

      Sucks that he couldn't put his abilities to better use.. Too bad for him

      --
      // MD_Update(&m,buf,j);
  2. Good. by AnotherUsername · · Score: 4, Insightful

    I hope that he has to serve the full sentence, and doesn't get out on parole. Credit card fraud is not fun. I can only hope that more people convicted of credit card fraud receive sentences like this.

    --
    I don't like Linux. This doesn't make me a troll.
    1. Re:Good. by osu-neko · · Score: 5, Insightful

      Yeah, blame the criminals for exploiting a system...

      Um, yes. That does make sense.

      --
      "Convictions are more dangerous enemies of truth than lies."
    2. Re:Good. by Anonymous Coward · · Score: 2, Insightful

      Yeah, blame the criminals for exploiting a system designed to dispense cash based solely on a 4 digit number; That makes sense. Credit card fraud wouldn't happen nearly to the degree it does if financial institutions had designed the system to be more resiliant to attack.

      Each person must be responsible for his or her own actions. Blaming the victim only reinforces the Just World Phenomenon.

    3. Re:Good. by elgaard · · Score: 3, Insightful

      Yes, that would like blaming burglers for breaking into houses protected by only wooden doors and glass windows. Burglary wouldn't happen nearly to the degree it does if house-owners designed their houses with steel doors and bullet-proof glass windows.

    4. Re:Good. by GIL_Dude · · Score: 5, Insightful

      Yes, I absolutely blame the criminal. After all, many of us here on slashdot have the technical ability (or could get it easily: some of these folks are really smart) to do this same type of criminal activity. They don't do it because they aren't criminals. Who the heck else would we blame but the person responsible for committing the crime? Now, if you want to talk about "the system" (justice system, not the banking system) and how unfortunate it is that it is nearly impossible to get a job after being in prison once - yes, that is tough and the summary alludes to the "hard times" iceman fell on probably due to the stigma of his earlier crime and resulting prison sentence. This can, and often is, extremely difficult to overcome and can mean years of living on handouts from relatives, living in campgrounds, etc. (can you tell I have a brother in law who has been through this?). However, the fact remains that the crime is the responsibility of the criminal and not the banking system. If the credit card system was more secure, this criminal would have went after the next most lucrative thing.

    5. Re:Good. by dreamchaser · · Score: 4, Insightful

      I often find myself agreeing with your posts but not this one. While I do agree that the PCI (Payment Card Industry) needs some major overhaul, people are still responsible for their crimes. Yes, I do blame criminals for being criminals.

    6. Re:Good. by elnyka · · Score: 3, Insightful

      I hope that he has to serve the full sentence, and doesn't get out on parole. Credit card fraud is not fun. I can only hope that more people convicted of credit card fraud receive sentences like this.

      Yeah, blame the criminals for exploiting a system designed to dispense cash based solely on a 4 digit number; That makes sense. Credit card fraud wouldn't happen nearly to the degree it does if financial institutions had designed the system to be more resiliant to attack. And by more resiliant, I mean doing something other than coating the cash in BBQ sauce and waving it in front of the hungry and unemployed masses while chanting "Hell no, we won't upgrade!"

      Oh wow, so I guess by your logic, I should not blame the person who broke into my car and stole just because the lock wasn't designed against simple lock-picking (it isn't hard to pick a lock.)

      Blame the faults of the implementation of a technology, and absolve the criminal of his own personal and moral responsibility. Awesome display of stupidity.

    7. Re:Good. by Hatta · · Score: 5, Insightful

      If you really want to reduce fraud, make the banks financially responsible for it. As it is, there's little incentive for the industry to increase their security.

      I'm not saying this guy shouldn't be in jail. We should absolutely punish those who take unfair advantage of the system. But if we really want results, we should fix the system.

      --
      Give me Classic Slashdot or give me death!
    8. Re:Good. by shentino · · Score: 4, Insightful

      Or rather, we should nix the fallacy that ONE bad act can earn blame on just ONE person.

      Think about this. If a criminal broke into a storage unit because the guard was asleep, the guard doesn't get off scot-free, right? Even though the criminal gets the blame?

      They both contributed to the theft. The thief by actually doing it, and the guard for letting it happen.

      The crooks actually doing the fraud should get nailed. But I think the banks have plenty of blame themselves for trying to weasel out of security.

    9. Re:Good. by Lumpy · · Score: 2, Insightful

      Yet the scumbags at AIG and the financial institutions robbed most americans blind and they were given end of the year bonuses!

      --
      Do not look at laser with remaining good eye.
    10. Re:Good. by Anonymous Coward · · Score: 1, Insightful

      Perhaps we should blame both the person who broke into your car as well as the user of the lock for the break-in. You incorrectly assume that blaming the perpetrator and blaming the victim are mutually exclusive.

    11. Re:Good. by Penguinisto · · Score: 3, Insightful

      Saying the banking system is innocent of neglecting security is like saying a security guard who happens to fall asleep on duty isn't responsible if there's a break in.

      True, but this does not absolve the criminal from doing the time. No different than saying that rape is okay because the victim was "asking for it, all dressed up like that".

      In an ideal system, the CC companies would have to eat the responsibili- oh, wait... they already do; CC fraud is usually something the CC company has to eat the costs of (after a certain liability point, anyway).

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    12. Re:Good. by plague3106 · · Score: 3, Insightful

      A sleeping gaurd does not contribute to theft. They fail in their job function, but they didn't do anything to cause the other person to steal either (unless you're claiming they were working together, which you don't seem to be doing). Following your logic, I would be contributing to my own home being burgurlized because I DIDN'T even hire a guard.

    13. Re:Good. by sjames · · Score: 4, Insightful

      In this analogy, Bob (the consumer) is a victim from all sides. He was wearing a vest but it turned out to have tissue paper inside rather than kevlar and had a target painted on it. For some reason, the courts side with the manufacturer of the vest, accepting their claim that it was up to Bob to verify the vest's construction.

      The criminals are naturally at fault, but the banks are also to blame for flimsy security and trying to stick the consumer with the cost of the inevitable fraud. The law is at fault for actually letting the banks stick it to the consumer.

      For some bizarre reason, banks are treated as if they are intrinsically honest, conscientious and correct. Recent events provide ample evidence that the assumption is faulty.

      If they had to actually demonstrate that you made a charge before they could try to collect money from you, you can bet the system would be tightened up overnight.

    14. Re:Good. by sjames · · Score: 2, Insightful

      Actually, no. When the charge is ruled fraudulent, it is reversed, so the merchant ends up holding the bag. The only party that never loses is the bank.

    15. Re:Good. by walshy007 · · Score: 2, Insightful

      For example, I have the most secure server in world. It's on the floor in my closet

      oh really, what would stop someone from say, breaking into your house and physically stealng said server? people all too often forget physical security, when they have physical access you are boned.

  3. Interesting..... by LordPhantom · · Score: 5, Insightful

    "It is a shame that someone with so much ability chose to use it in a manner that hurt many people," Dembosky said in an e-mail message."

    That in light of

    "Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release, he said in a sentencing memorandum filed Thursday. "I was homeless, staying on a friends couch. I couldn't get work," he wrote. In desperation, he turned again to cybercrime."

    I'm not saying he's right, but it does highlight something interesting about finding work as an ex-con.

    1. Re:Interesting..... by Attila+Dimedici · · Score: 4, Insightful

      Of course it didn't help that he was convicted of abusing the trust that people gave him when offered his services as a security consultant in the first place (which appears to be his only marketable skills).

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    2. Re:Interesting..... by nhytefall · · Score: 2, Insightful

      Absolutely correct. There were many things he *could* have done, but that his pride as a "security consultant" (and I use that term very loosely) *wouldn't* let him. Personally, he's best off where he is going.

      Perhaps, in time, when he gets out he will have a new perspective on life. Probably not.

      --
      0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
    3. Re:Interesting..... by Peter+Simpson · · Score: 2, Insightful

      I couldn't get work," he wrote. In desperation, he turned again to cybercrime."

      Cry me a river.

      Try standing out in front of Lowe's or Home Depot on a Saturday morning. It seems to work for others.

      There's plenty of work for ex-cons who want to work. He just took the easy way.

    4. Re:Interesting..... by Anonymous Coward · · Score: 1, Insightful

      That has always bothered me. We send people to prison and then expect them to subsist on working as a janitor at 2-3 different jobs when they get out. Everyone wants a chance to make something of themselves and the only option we give to ex-cons is crime.

    5. Re:Interesting..... by hesaigo999ca · · Score: 3, Insightful

      I do agree, why does it have to be a forwarning to employers that you had a criminal past. If I spent my time in jail as decreed by the law for my crime, I have served my sentenced and therefor deserve the respect of doing the time, and start with a clean slate. No one will hire a criminal because they do not believe they have been reformed. I tend to agree the system is faulty, but I would start with making it somewhat less complicated for an ex con to get a job.

      If he was young, and made a mistake, and paid for it, he deserves a REAL second chance. I think that is why so many of the cons try to get right back in after they get out....because not only have they become accustomed to that life, but also, they do not have to deal with rejection, starving, homelessness, etc..

    6. Re:Interesting..... by Anonymous Coward · · Score: 2, Insightful

      The right answer is to lie and say you aren't a felon.

    7. Re:Interesting..... by MightyMartian · · Score: 2, Insightful

      I might even buy this if it was a sort of "stealing bread to survive" kind of thing, just doing enough online hacking to put a roof over his head and food in his belly. But even if that's how this second dip into the world of mass theft began, any notion that this was just a form of employment kind of gets disproven by the sheer size of what he did.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    8. Re:Interesting..... by fm6 · · Score: 3, Insightful

      So, when a criminal does his time, gets out, and can't find a job, your only response is, "It's your own fault." That's just stupid.

      There seems to be a widespread belief that if you have a social problem, all you need to do is find somebody to blame. As when ex-cons can't find work: it's their own fault for breaking the law. Moral myopia aside, that just doesn't work out. If a criminal has no chance to "go straight" you're guaranteeing that he'll go on comiting crimes.

      Yeah, yeah, many ex-cons will do that no matter what. But does that mean we have to make it their only choice? Perhaps helping them find lawful alternatives sticks in your self-righteous craw, but ask yourself, is that any worse than paying the huge costs (about $22K per prisoner per year) of an ever-growing prison population? Not to mention the huge economic and human costs of the crimes this culture of punishment is facilitating.

    9. Re:Interesting..... by Deanalator · · Score: 3, Insightful

      That's what the prison sentence was for.. I find it extremely unfair that even after you get out, the only job you can get with a felony like that is gas station attendant. I think equal opportunity laws should cover people with criminal records for this very reason.

    10. Re:Interesting..... by Mjec · · Score: 3, Insightful

      If you're not going to give him a second chance, why let him out of prison at all?

      --
      "But everyone should know everything." -markab
    11. Re:Interesting..... by Attila+Dimedici · · Score: 2, Insightful

      So, you would have no problem hiring a guy to be your bookkeeper who had been convicted of embezzling from the last guy he worked for as a bookkeeper?

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    12. Re:Interesting..... by Simetrical · · Score: 2, Insightful

      If you're not going to give him a second chance, why let him out of prison at all?

      Costs less. Duh.

      --
      MediaWiki developer, Total War Center sysadmin
    13. Re:Interesting..... by fm6 · · Score: 2, Insightful

      I suppose I would have a problem. That's not the point. This isn't about whether employers should ignore an applicant's criminal records. This is about what we do to try to re-integrate people who've left prison. And right now we don't do shit.

      Take your embezzling bookkeeper. It's safe to say that once he's been convicted, he's going to have to find a new way to make a living. So it makes sense to retrain him to do something else while he's incarcerated. Otherwise, all the good will in the world won't help him find a new job. There's a good chance he'll end up homeless, which costs us both financially and morally. Or else he'll get some retraining from his fellow prisoners...

      The big problem is that prisons no longer try to retrain their inmates. Spending any money to "coddle criminals" is politically impossible. Never mind that we'd save money in the long run. (And even the short run — teachers are a more cost-effective form of behavior control than guards.) We're too busy being angry and self-righteous to think things through.

  4. Slashdot misses the point by netik · · Score: 4, Insightful

    This isn't about a 13 year sentence for "Hacking."

    This is a 13 year sentence for credit fraud, credit card theft, and oh yeah, he also stored the credit card numbers on a computer where other people could get to them.

    There's no cleverness here that needs awarding. Back doors are easy to install when the FBI has already allowed you to contract there.

  5. He did it to himself. by Ungrounded+Lightning · · Score: 4, Insightful

    I'm not saying he's right, but it does highlight something interesting about finding work as an ex-con.

    His first conviction was for criminally violating the trust of his employer and working in direct contravention to his employer's interests and mission. His skills are such that to be employed effectively he must be trusted.

    Oops!

    He did it to himself. No employment for him. (He'd have been lucky to find burgers to flip.)

    So then he starts a business. High corporate positions may have been barred to him by his first conviction, but a lot of smaller stuff still was open. Yet what does he chose? Cybercrime.

    Oops!

    When he finally gets out from THIS one he'll be watched so closely that even organized crime is unlikely to work with him.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  6. Quite right. by CountBrass · · Score: 3, Insightful

    Some things deserve a permanent stigma: in this case how can you seriously expect he would continue to act in a role that requires significant trust when he's proven he can't be trusted?

    --
    Bad analogies are like waxing a monkey with a rainbow.
  7. Re:Sure it does by mosb1000 · · Score: 2, Insightful

    Usually when people say they can't find work, they mean work they are willing to do. He might be able to get a job at McDonalds or 7-eleven, but they probably weren't up to his standards.

    I have a lot of friends who say they can't find a job because of the job market. When I ask them if they've tried at applying for a job at a fast food place with a help-wanted sign on the door they universally respond with something like "I won't work fast food" or "I'm looking for more money than that". It's hard to earn my sympathy, if that's all the harder you'll try. I've worked fast-food, I've been a janitor, I've worked a cash register. If I were to lose my job today, I wouldn't consider myself above such things. It's all work that needs to get done.

  8. No sympathy. by Beelzebud · · Score: 2, Insightful

    No sympathy from me. Why should I feel any more sorry for him than someone that snatches purses, or robs liquor stores?

  9. Re:Prison is bullshit by svtdragon · · Score: 2, Insightful

    Disregarding the many other ways in which this is impractical, draconian, etc...

    Since those most skilled in the areas necessary to test our security infrastructure are liable to be executed in this manner for simply working to *acquire* said skills, let's just leave it up to some hostile foreign entity to find the security holes. We'll clearly be much better off in the long run.

  10. Not just pin numbers! by Unordained · · Score: 4, Insightful

    In an ideal world, identification (username) and authentication (password) would be separate. But that's not the case in the financial world. Every time you use a credit card or cheque, you're leaving behind a trail that contains either your credit card number and security code (if online), or your bank's routing number and your account number. Your one-time authorization for withdrawal has given away the keys to the kingdom! It's like social security numbers in that respect. Only a few services (Discover bank?) allow you to setup single-use identifiers that work around this problem without rebuilding the whole system from scratch. More should. If you need to setup recurring payments, you should be able to tell your bank who's going to be doing it, how often, for (about) how much, and get a number that a hacker could not reuse for some other purpose. (And while you're at it, you make it transportable, so you can redirect that number to your new bank account when you get tired of your old bank screwing up, without having to remember to notify everyone that your bank account number's changed.)

  11. the security guard put a bag of money at his feet by circletimessquare · · Score: 4, Insightful

    and someone takes it

    fact: the security guard is responsible

    fact: the asshole who took it is responsible

    the security guard is responsible for neglecting his duty, NOT FOR THE MONEY

    the asshole who took it is guilty of taking something that isn't his, they are on the line for the money

    two different responsibilities

    but even beyond that, the fact that we NEED security guards is because so many people, such as yourself, don't understand simple fucking morality in this world

    there are moral people, who would not take something that is not theres. and there are roaming monkeys with no moral compass who take whatever they can get. such people are the problem with this world. there's no defense for such being such an asshole. if it's not yours, don't fucking take it. it's really that fucking simple. learn it

    just because security is lax doesn't entitle you to a damn thing or entitle anyone for any excuse for committing a crime. if you take something that isn't yours, you are guilty, no matter if it is fort knox or a bag of money behind an open door: same level of guilt

    try to understand basic morality at some point in your life

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  12. Another perspective by russotto · · Score: 3, Insightful

    He starts by doing legitimate penetration testing; he leaves backdoors for himself, but doesn't do anything nasty with them. Then he starts hacking into government computers, and does the same thing; leaves a door open but doesn't do anything else nasty. The FBI catches him for it... but rather than bust him, they attempt to enslave him. He helps them bust another computer criminal ring. But after a while he refuses to serve them and they do bust him. They lie and claim he was of no help, and throw him in jail for a year and a half. When he gets out, his skills are now useful for nothing but crime; no legitimate company will touch him. So, naturally, he does turn to crime. This time actually doing some damage. Well, what did you expect?

    1. Re:Another perspective by DaveV1.0 · · Score: 3, Insightful

      Turns to crime? He turned to crime at "Then he starts hacking into government computers".

      --
      There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
  13. Re:Prison is bullshit by DeadCatX2 · · Score: 2, Insightful

    Actually, 3-year recidivism is something like 50% in the UK and US.

    And the prison system is not a failure. It has been a wild success. At least 1% of our population is in prison, many for non-violent and victimless crimes. The prison lobby has been so successful that you never hear anyone talk about Big Prison the way you hear Big Oil or Big Pharma or Big Farma.

    The reason you think the prison system is a failure is because you are under the mistaken impression that it's primary purpose is to rehabilitate criminals. The system is designed to generate a profit; imprisoning and/or rehabilitating criminals is an accidental side effect.

    If you don't believe me, then imagine if we had under-used prisons. In order to protect their business model, the prison lobby would pay for a whole new set of laws, preferably ones that many people already violate, so we can keep imprisoning Americans...much like the War on Drugs has made sure to keep prisons in business despite the continuous drop in violent crime over the past two decades.

    --
    :(){ :|:& };:
  14. Re:Read the Fine Print by Binder · · Score: 2, Insightful

    I still believe it is ridiculous that murderers get shorter sentences than this.

  15. Re:Read the Fine Print by precariousgray · · Score: 2, Insightful

    At first, I thought they were referring to whom I consider to be the real Iceman.

    --
    not much, just being forced to manually insert line breaks into my comment