Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
Max began to wonder if he had a future in computer security at all. His former friends in the community had all moved on. Hiverworld, where Max had nearly been employee 21, revamped its executive team and won $11 million in venture capital, changing its name to nCircle Network Security. Marty Roesch left the company to build on the success of Snort—to which Max had contributed—starting a firm of his own called Sourcefire in Maryland. Both companies were on a path to success, nCircle kicking off an expansion that would take it to 160 employees in the years to come and Sourcefire heading to an IPO on the NASDAQ.
In some alternate universe in which Max had never hacked the Pentagon, or never used that Verio dialup, or had simply kept his mouth shut and worn a wire on Matt Harrigan, the hacker would have been riding one of those companies to financial success and rewarding, challenging work. Instead, he could only watch from the sidelines.
He was itinerant, grasping for cash, and flailing for something to do with his freedom. That was when he checked his Whitehats.com e-mail in-box and found an anonymous note from “an old friend from Shaft.” It was the code phrase Max had worked out with Jeff Norminton.
Max met Jeff Norminton in a room at the St. Francis Hotel, and they caught up. Norminton hadn’t taken well to supervised release: His sentencing judge required him to submit monthly urine samples, so his probation officer could make sure he hadn’t started drinking again. That was a problem, since he was drinking again. After he’d refused two piss tests, the court had ordered him to check into Impact House, a drug and alcohol
rehab center in Pasadena. He walked away after three weeks and was now looking to scam enough zeroes to flee to Mexico.
It was time to act on the plans they’d made in prison, Norminton said. He was ready to bankroll Max in his new career as a professional hacker.
Max was ready. He’d struggled long enough trying to make an honest living, and he was tired of being punished. He knew he was wearing out his welcome at the Hungry Programmers’ house, even if they’d never complain. His diet was down to noodles and vegetables. He had no health insurance and dental problems that would cost thousands to fix.
Room service interrupted the conversation to deliver a hospitality basket. Norminton made a show of carrying the delivery into the bathroom, turning on the shower, and closing the door—in case the basket was bugged, he said. When they were done laughing, Max gave Norminton a short shopping list of gear he’d need to get started, a high-performance Alienware laptop, for one. And an antenna. A big one.
There was just one little hitch. Norminton was broke. They’d need to bring in someone else for seed money. Fortunately, Jeff knew just the guy.
ax met his future friend and criminal partner Chris Aragon in North Beach, San Francisco’s little Italy, where seedy strip clubs and fortune tellers coexist with a row of pleasantly gaudy restaurants serving warm bread and hot pasta to sidewalk diners. The meeting was set for a coffee shop near the City Lights bookstore, cradle of the Beat Generation in the 1950s, and kitty-corner from Vesuvio Café, a saloon announced by colorful wall murals with wine bottles and a peace sign. Down the hill the Transamerica Pyramid stood sentry over the financial district, stabbing the sky.
Norminton introduced Chris to Max over the muted clatter of coffee cups and dishes. The two hit it off immediately. The forty-one-year-old Chris was a student of eastern spirituality, a vegetarian who practiced meditation to center his mind. Max, with his hippie values, seemed a kindred spirit on the road of life. They’d even read some of the same books.
And like Max, Chris had been arrested more than once.
It had all started in Colorado, when Chris was twenty-one years old. He was working as a masseuse at a hot springs resort, earning enough to cover his rent and support a modest cocaine habit, when he hooked up with a troubled veteran named Albert See whom he’d met in the joint while serving a juvenile sentence. See had just escaped from a minimum-security prison camp and needed money to get out of the country.
Chris came from a privileged background—his mother, Marlene Aragon, worked in Hollywood as voice talent, and she’d recently enjoyed a run on ABC’s Saturday morning cartoon
Challenge of the Superfriends
, voicing Wonder Woman’s feline nemesis the Cheetah. But he also had romantic notions of crime and criminals; on the wall of his condo hung a poster of the cover art from the Waylon Jennings album
Ladies Love Outlaws
. He took Albert in, and the two embarked on a series of bold, and mostly botched, bank robberies in the resort towns dotting Colorado.
The first robbery, at the Aspen Savings and Loan, started off well enough: Chris, wearing a blue and white bandana over his mouth to conceal his braces, pulled an Army-issue .45 automatic on the bank manager as he unlocked the door in the morning. He and Albert forced the manager inside, where they found a cleaning woman hiding under one of the desks, phoning the police. They left in a hurry.
The second robbery, at the Pitkin County Bank and Trust, was over before it even began. Chris’s partner hid in a Dumpster by the back door, planning to jump out with his shotgun when the first employees came into work in the morning. The plan was aborted when Chris, watching from across the street, saw a garbage truck pull into the alley to empty the Dumpster.
The third robbery was better planned. On July 22, 1981, Chris and Albert visited Voit Chevrolet in Rifle and declared they wanted to test-drive a new Camaro. The luckless salesman insisted on going with them, and when they cleared the town limit, Chris steered to the side of the road, and Albert pulled the salesman from the car at gunpoint. They tied him up with rope, gagged him, and left him in a field before peeling away in the silver sports car.
The next day at 4:50 p.m., Chris drove the stolen Camaro up to the Valley Bank and Trust in Glenwood Springs, where the town locals parked the cash they earned from a flourishing tourist industry. Chris himself was a customer there. He waited outside behind the wheel of the car while Albert walked in wearing tinted sunglasses and toting a leather briefcase.
Albert ran out minutes later with $10,000 in cash and jumped into the Camaro, and Chris sped away.
Chris drove them south out of town on an unpaved road that snaked through the rocky red hills surrounding Glenwood Springs, then transferred to a jeep trail where his girlfriend was waiting with the switch car. Jubilant and excited, Chris drove past her and spun the Camaro into a triumphant fishtail, sending a plume of dust twenty feet into the air.
He was jumping up and down and shouting, “We did it!” when a police cruiser, drawn by the dust cloud, rolled up on the robbers. Chris and Albert made a mad dash on foot over the craggy, tree-dotted terrain. Chris tumbled down a ridge and landed on a cactus, and the two cops caught up with them. Chris dropped his shotgun and surrendered.
Chris learned a valuable lesson from his experience: not that crime didn’t pay, but that guns and getaway cars were a stupid way to rob a bank. When he made parole in 1986, after five years in federal prison,
he delved into credit card fraud and enjoyed some modest success. Then he hooked up with a Mexican drug smuggler he’d met in the joint. Chris helped with the delivery of two thousand pounds of marijuana to a twenty-acre ranch near Riverside, California, only to be
busted in a nationwide DEA undercover operation. He went back to prison in September of 1991.
When he got out in 1996, he was thirty-five years old and had spent more than half his adult life, and a portion of his childhood, behind bars. He vowed to go straight. With his mother’s help, he founded a legitimate business called Mission Pacific Capital, a leasing firm providing computer and business equipment to start-up companies hustling to claim their place in the dot-com race.
Clean-cut and handsome with an empathetic gaze, Chris fit easily into the role of a Southern California entrepreneur. After a lifetime of crime and uncertainty, the charms of a normal, middle-class existence had an exotic and satisfying appeal. He loved traveling to conventions, interviewing and hiring employees, schmoozing with colleagues. At a marketing
convention in New Orleans, he met Clara Shao Yen Lee, a stylish woman of Chinese descent who’d emigrated from Brazil. Taken by Clara’s beauty and intelligence, he promptly married her.
Under Chris’s leadership, Mission Pacific built a reputation as an innovative leasing broker, one of the first to offer instant contracts through the Web, which helped the firm gain tens of thousands of clients around the country. The former bank robber and drug smuggler had two prominent Orange County businessmen as partners and twenty-one employees working in a spacious office a block from the Pacific Coast Highway. Clara dropped in periodically to help out with the look and feel of the company’s website and marketing material. By 2000, the couple had an upscale condo in Newport Beach, a son, and had staked a claim in a business that seemed as limitless in its potential as the Internet itself.
That spring, the dream died; the dot-com bubble burst, and the torrent of new companies that had been Mission Pacific’s lifeblood started to dry up. Then larger companies like American Express entered the leasing arena, squeezing out smaller firms. Chris’s company was one of dozens of leasing brokers to crash and burn. He began shedding employees and finally had to tell the stragglers that Mission Pacific wouldn’t be able to cut their next payroll checks.
Chris went to work for another leasing company but was cut in a round of layoffs when a large bank acquired the firm. Meanwhile, his wife gave birth to a second boy. So when Jeff Norminton showed up talking about the superhacker he’d met in Taft, Chris was ready to listen.
By the time he and Max met in that North Beach restaurant, Chris had already been funding Norminton’s scheme, providing some of the specialized equipment Norminton said his hacker needed. Now that Chris had met Max in person, he was eager for a demonstration. After talking for hours, the three of them left the coffee shop to find someplace to hack from.
They wound up at the twenty-seven-story Holiday Inn in Chinatown,
a few blocks away. At Max’s direction, they asked for a room high above the street. Max positioned himself at the window, booted his laptop, plugged in the antenna, and began scanning for Wi-Fi networks.
In 2003, the world was going wireless in a big way and bringing a massive security hole with it. The revolution had begun with Apple’s AirPort wireless access point and then was joined by hardware makers like Linksys and Netgear. As hardware prices dropped, more and more companies and home users began breaking free of the tethers of their blue Ethernet cables.
But the wireless gear being ushered into homes and offices around the country was a hacker’s dream. It overwhelmingly employed a wireless standard called 802.11b, which included an encryption scheme that, in theory, would make it difficult to jump onto someone’s wireless network without authorization or to passively eavesdrop on computer traffic. But in 2001, researchers at the University of California at Berkeley revealed a number of severe weaknesses in the encryption scheme that made it crackable with ordinary off-the-shelf equipment and the right software. And as a practical matter that technical black magic was usually not even needed. To speed adoption, manufacturers were shipping wireless access points with encryption turned off by default. Businesses small and large simply plugged in the boxes and forgot about them—sometimes assuming falsely that their office walls would keep their networks from seeping out onto the street.
A few months before Max went to jail,
a white-hat hacker had invented a sport called “war driving” to highlight the prevalence of leaky networks in San Francisco. After slapping a magnetically mounted antenna to the roof of his Saturn, the white hat cruised the city’s downtown streets while his laptop scanned for beaconing Wi-Fi access points. After one hour in the financial district, his setup would find close to eighty networks. A year and a half had passed since then, and San Francisco, like other large cities, was now blanketed in an invisible sea of network traffic, available to anyone who cared to dip in.
Hacking from home was for idiots and teenagers—Max had learned that lesson the hard way. Thanks to Wi-Fi, he could now work from almost anywhere with complete anonymity. This time, if the police traced back one of Max’s hack attacks, they’d wind up on the doorstep of whatever poor sap Max had used for connectivity.
The antenna Max used was a monster, a two-foot-wide wire-grid parabolic that quickly teased out dozens of networks from the ether surrounding the Holiday Inn. He jumped on one and showed Chris how it all worked. Wielding a vulnerability scanner—the same kind of tool he’d used in his pen tests—he could quickly scan huge chunks of Internet address space for known vulnerabilities, like sending a drift net into the Web. Security holes were everywhere. He was confident he’d be in financial institutions and e-commerce sites in no time. It was up to Norminton and Chris to decide what kind of data they needed and how they’d exploit it.