Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Iceman' Gets 13 Years For 2nd Hacking Offense

Posted by ScuttleMonkey on from the too-ambitious dept.

Hugh Pickens writes "Computerworld reports that Max Ray Butler, who used the hacker pseudonym Iceman, has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers, the longest known sentence ever handed down for hacking charges. This isn't Butler's first time facing a federal hacking sentence. After a promising start as a security consultant who did volunteer work for the FBI, Butler was arrested for writing malicious software that installed a back-door program on computers — including some on federal government networks — that were susceptible to a security hole. Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release. In desperation, he turned again to cybercrime and by the time of his arrest in September 2007, he had built the largest marketplace for stolen credit and debit card information in the world."

19 of 289 comments (clear)

  1. long term sentence by girlintraining · · Score: 4, Insightful

    And lesson we've all learned today, class? Don't crap in your own backyard.

    --
    #fuckbeta #iamslashdot #dicemustdie
  2. Looks like Iceman is being put on ice... by zero_out · · Score: 4, Funny

    Looks like Iceman is being put on ice for 13 years. It's well-deserved, IMO.

  3. Read the Fine Print by otherniceman · · Score: 5, Funny

    12 Years, 11 months of the sentence for using the pseudonym Iceman.

  4. Good. by AnotherUsername · · Score: 4, Insightful

    I hope that he has to serve the full sentence, and doesn't get out on parole. Credit card fraud is not fun. I can only hope that more people convicted of credit card fraud receive sentences like this.

    --
    I don't like Linux. This doesn't make me a troll.
    1. Re:Good. by osu-neko · · Score: 5, Insightful

      Yeah, blame the criminals for exploiting a system...

      Um, yes. That does make sense.

      --
      "Convictions are more dangerous enemies of truth than lies."
    2. Re:Good. by GIL_Dude · · Score: 5, Insightful

      Yes, I absolutely blame the criminal. After all, many of us here on slashdot have the technical ability (or could get it easily: some of these folks are really smart) to do this same type of criminal activity. They don't do it because they aren't criminals. Who the heck else would we blame but the person responsible for committing the crime? Now, if you want to talk about "the system" (justice system, not the banking system) and how unfortunate it is that it is nearly impossible to get a job after being in prison once - yes, that is tough and the summary alludes to the "hard times" iceman fell on probably due to the stigma of his earlier crime and resulting prison sentence. This can, and often is, extremely difficult to overcome and can mean years of living on handouts from relatives, living in campgrounds, etc. (can you tell I have a brother in law who has been through this?). However, the fact remains that the crime is the responsibility of the criminal and not the banking system. If the credit card system was more secure, this criminal would have went after the next most lucrative thing.

    3. Re:Good. by dreamchaser · · Score: 4, Insightful

      I often find myself agreeing with your posts but not this one. While I do agree that the PCI (Payment Card Industry) needs some major overhaul, people are still responsible for their crimes. Yes, I do blame criminals for being criminals.

    4. Re:Good. by Hatta · · Score: 5, Insightful

      If you really want to reduce fraud, make the banks financially responsible for it. As it is, there's little incentive for the industry to increase their security.

      I'm not saying this guy shouldn't be in jail. We should absolutely punish those who take unfair advantage of the system. But if we really want results, we should fix the system.

      --
      Give me Classic Slashdot or give me death!
    5. Re:Good. by shentino · · Score: 4, Insightful

      Or rather, we should nix the fallacy that ONE bad act can earn blame on just ONE person.

      Think about this. If a criminal broke into a storage unit because the guard was asleep, the guard doesn't get off scot-free, right? Even though the criminal gets the blame?

      They both contributed to the theft. The thief by actually doing it, and the guard for letting it happen.

      The crooks actually doing the fraud should get nailed. But I think the banks have plenty of blame themselves for trying to weasel out of security.

    6. Re:Good. by WegianWarrior · · Score: 4, Informative

      I hope that he has to serve the full sentence, and doesn't get out on parole. Credit card fraud is not fun. I can only hope that more people convicted of credit card fraud receive sentences like this.

      Yeah, blame the criminals for exploiting a system designed to dispense cash based solely on a 4 digit number; That makes sense. Credit card fraud wouldn't happen nearly to the degree it does if financial institutions had designed the system to be more resiliant to attack. And by more resiliant, I mean doing something other than coating the cash in BBQ sauce and waving it in front of the hungry and unemployed masses while chanting "Hell no, we won't upgrade!"

      Oh wow, so I guess by your logic, I should not blame the person who broke into my car and stole just because the lock wasn't designed against simple lock-picking (it isn't hard to pick a lock.)

      Blame the faults of the implementation of a technology, and absolve the criminal of his own personal and moral responsibility. Awesome display of stupidity.

      This is often refered to as 'the poor victim mentality' over here, and seems to work from the basic premise that the criminal has become a criminal because society at large has failed him/her somehow... it's a lot of vawing hands and requests to ignore the man behind the curtain, but somehow the criminal commits crime as a plea for help. This is the same logic that lays behind blaming the rape victim for the fact that the rapist raped them - if they hadn't shown so much naked skin, the poor, misunderstood rapist would have been able to control himself...

      I guess stealing at least 27.5 million US dollars (the amounth he has to reimburse the victims with) and setting up a online shop for selling credit card information is a very, very loud plea for help. Or possible a sign of a well developed sence of greed and a belief in that you couldn't be caught - if we were to blame the criminal, that is.

      And off course the criminal is to blame. After all, most of us don't break the laws - even if we have the knowledge to do so. The ones who do break them break them willingly and with intent; most of them with a reasonable knowledge that what they are doing is wrong and will be punished.

      Which is not to say that the credit card companies shouldn't try to improve the security of their cards. Over here most - if not all - banks and credit card companies will send you a code-dongle (BankID - use an online translater to read it if you don't speak Norwegian) that is considered safe - so safe in fact that the banks say they wont hold you responsible if your card is abused online. Downside is off course that it's only supported within Norway, so if I buy something from a non-norwegian online shop I still have to rely on the older, less secure solutions.

      --
      Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
    7. Re:Good. by sjames · · Score: 4, Insightful

      In this analogy, Bob (the consumer) is a victim from all sides. He was wearing a vest but it turned out to have tissue paper inside rather than kevlar and had a target painted on it. For some reason, the courts side with the manufacturer of the vest, accepting their claim that it was up to Bob to verify the vest's construction.

      The criminals are naturally at fault, but the banks are also to blame for flimsy security and trying to stick the consumer with the cost of the inevitable fraud. The law is at fault for actually letting the banks stick it to the consumer.

      For some bizarre reason, banks are treated as if they are intrinsically honest, conscientious and correct. Recent events provide ample evidence that the assumption is faulty.

      If they had to actually demonstrate that you made a charge before they could try to collect money from you, you can bet the system would be tightened up overnight.

    8. Re:Good. by EvanED · · Score: 4, Informative

      If the person is there in person, then ID check...

      Actually doing anything meaningful along that line is against the merchant agreements companies sign to accept credit cards.

      From Visa's:

      Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures.
      (That quote is in bold, page 29.)

  5. Interesting..... by LordPhantom · · Score: 5, Insightful

    "It is a shame that someone with so much ability chose to use it in a manner that hurt many people," Dembosky said in an e-mail message."

    That in light of

    "Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release, he said in a sentencing memorandum filed Thursday. "I was homeless, staying on a friends couch. I couldn't get work," he wrote. In desperation, he turned again to cybercrime."

    I'm not saying he's right, but it does highlight something interesting about finding work as an ex-con.

    1. Re:Interesting..... by Attila+Dimedici · · Score: 4, Insightful

      Of course it didn't help that he was convicted of abusing the trust that people gave him when offered his services as a security consultant in the first place (which appears to be his only marketable skills).

      --
      The truth is that all men having power ought to be mistrusted. James Madison
  6. Slashdot misses the point by netik · · Score: 4, Insightful

    This isn't about a 13 year sentence for "Hacking."

    This is a 13 year sentence for credit fraud, credit card theft, and oh yeah, he also stored the credit card numbers on a computer where other people could get to them.

    There's no cleverness here that needs awarding. Back doors are easy to install when the FBI has already allowed you to contract there.

  7. He did it to himself. by Ungrounded+Lightning · · Score: 4, Insightful

    I'm not saying he's right, but it does highlight something interesting about finding work as an ex-con.

    His first conviction was for criminally violating the trust of his employer and working in direct contravention to his employer's interests and mission. His skills are such that to be employed effectively he must be trusted.

    Oops!

    He did it to himself. No employment for him. (He'd have been lucky to find burgers to flip.)

    So then he starts a business. High corporate positions may have been barred to him by his first conviction, but a lot of smaller stuff still was open. Yet what does he chose? Cybercrime.

    Oops!

    When he finally gets out from THIS one he'll be watched so closely that even organized crime is unlikely to work with him.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  8. Warrant for Floyd Landis the cyclist for hacking? by sponga · · Score: 5, Interesting

    That's right the guy who got caught with the performance enhancing drugs during the Tour de France had a warrant issued for him today for hacking. I don't know what it is over but maybe his attempts to tamper with the committee who tested him maybe. I don't know all the info but I just saw it on the news channel.
    Nevermind here it is

    France Issues Arrest Warrant for Cyclist Floyd Landis
    http://www.nytimes.com/2010/02/16/sports/cycling/16landis.html

    PARIS — The United States cyclist Floyd Landis was stripped of his 2006 Tour de France title after testing positive for performance-enhancing drugs, but the fallout from his doping case has lingered.

    Thomas Cassuto, a French judge, issued an arrest warrant for Landis last month, in connection with a computer hacking case, said Astrid Granoux, a spokeswoman for the prosecutor’s office in Nanterre, a suburb of Paris, which is handling the matter.

    “That means he would be arrested if he came to France,” Granoux said Monday, adding that the warrant had not been distributed outside of French territory.

    Landis, who raced for the Ouch Pro Cycling Team last year, parted ways with the team last fall. He could not be reached for comment Monday.

    Cassuto is seeking to question Landis about the data hacking that occurred in the fall of 2006 at the Châtenay-Malabry antidoping lab, which is the facility that conducted the tests on Landis’s urine samples from the 2006 Tour.

    A very public dispute between Landis and the lab’s officials was the crux of Landis’s defense in his doping case, which ended in his being barred from the sport for two years. Landis and his defense team had alleged that the lab’s testing procedures were sloppy, so its test results could not be trusted.

    Pierre Bordry, the lab’s director, said a security breach of the facility’s computers occurred because hackers wanted to obtain data to discredit its scientists. He said that some of the stolen data had been altered to make it seem as if the lab had made errors.

    In November 2006, lab officials filed a formal complaint saying that its computer data had been stolen and used in Landis’s defense. That confidential data was also sent to other labs and news media, officials said. A subsequent search of the lab’s computers turned up a Trojan horse, which is a program that allowed an outsider to remotely download files.

    Investigators concluded that the program could have originated from an e-mail message sent to the lab from a computer using the same Internet protocol address as Arnie Baker, Landis’s coach.

    Landis and Baker, who continue to insist that Landis did not use performance-enhancing drugs to win the Tour, deny being involved in the computer hacking.

  9. Not just pin numbers! by Unordained · · Score: 4, Insightful

    In an ideal world, identification (username) and authentication (password) would be separate. But that's not the case in the financial world. Every time you use a credit card or cheque, you're leaving behind a trail that contains either your credit card number and security code (if online), or your bank's routing number and your account number. Your one-time authorization for withdrawal has given away the keys to the kingdom! It's like social security numbers in that respect. Only a few services (Discover bank?) allow you to setup single-use identifiers that work around this problem without rebuilding the whole system from scratch. More should. If you need to setup recurring payments, you should be able to tell your bank who's going to be doing it, how often, for (about) how much, and get a number that a hacker could not reuse for some other purpose. (And while you're at it, you make it transportable, so you can redirect that number to your new bank account when you get tired of your old bank screwing up, without having to remember to notify everyone that your bank account number's changed.)

  10. the security guard put a bag of money at his feet by circletimessquare · · Score: 4, Insightful

    and someone takes it

    fact: the security guard is responsible

    fact: the asshole who took it is responsible

    the security guard is responsible for neglecting his duty, NOT FOR THE MONEY

    the asshole who took it is guilty of taking something that isn't his, they are on the line for the money

    two different responsibilities

    but even beyond that, the fact that we NEED security guards is because so many people, such as yourself, don't understand simple fucking morality in this world

    there are moral people, who would not take something that is not theres. and there are roaming monkeys with no moral compass who take whatever they can get. such people are the problem with this world. there's no defense for such being such an asshole. if it's not yours, don't fucking take it. it's really that fucking simple. learn it

    just because security is lax doesn't entitle you to a damn thing or entitle anyone for any excuse for committing a crime. if you take something that isn't yours, you are guilty, no matter if it is fort knox or a bag of money behind an open door: same level of guilt

    try to understand basic morality at some point in your life

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it