Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (6 page)

With that, Max shut down his five-day attack on the government, with more cracked systems behind him than he could count. He was satisfied that he’d made the Internet safer than it was before; thousands of computers that had been vulnerable to every hacker in the world were now vulnerable to only one: Max Vision.

Max immediately jumped into a new, more socially acceptable project: He would write a Web application that would let anyone on the Internet request an automatic real-time scan of their network to assess whether or not they were open to the BIND attack. He also conceived a benign variant of the siege he’d just concluded. Like before, he would scan government and military networks. But instead of cracking the vulnerable computers, he’d automatically send an e-mail warning to the administrators. There’d be no need to hide behind a hacked dial-up account this time. Both services would live on his brand-new public website: Whitehats.com.

After two days and nights of work, he was knee-deep in his new, legal hacking project when Beeson e-mailed again. “What happened? Thought you’d send me e-mail.”

Max could hardly explain to his FBI friend that he’d been busy staging one of the largest government computer breaches in history. So he emphasized his new project instead. “I am almost finished creating a public service vulnerability scanner and patch site—but there are some parts that aren’t ready for release,” he wrote back.

“Oh, and here is the ADM worm program,” he added. “I don’t think it will spread very far.”

n the afternoon of June 2, Max opened the door of his San Jose duplex to greet Chris Beeson and registered instantly that he was in trouble: There were three other suits with the FBI agent, including Beeson’s surly boss, Pete Trahon, head of the computer crime squad.

The month after the BIND attack had been a busy time for Max. He launched Whitehats.com, and it was an instant success in the security world. In addition to housing his scanning tool, the site collected the latest CERT advisories and links to BIND software patches, as well as a paper Max had written dissecting the ADM worm with the clarity and the discerning eye of a connoisseur. Nobody in the community suspected that Max Vision, the rising star behind Whitehats.com, had personally provided the brightest example of the seriousness of the BIND security hole.

He was also continuing to file reports to the FBI. After his last one, Beeson began e-mailing to arrange a casual meeting, supposedly to go over Max’s latest findings. “How ’bout if we just meet at your place?” Beeson wrote. “I know I have the address somewhere around here.”

Now that he was on Max’s doorstep, Beeson explained why they were really there. He knew all about Max’s attack on the Pentagon. One of the men with him, a young Washington, DC–based Air Force investigator named Eric Smith, had traced the BIND intrusions to Max’s house. Beeson had a search warrant.

Max let them in, already apologizing. He only meant to help, he explained.

They chatted amicably. Max, happy for an audience, grew expansive, describing the twists and turns of his attack and listening with interest as Smith described how he’d tracked Max through the pop-up messages Max had used to alert himself when a system was subverted: The messages went to a Verio dial-up, and a subpoena to the ISP produced Max’s phone number. It hadn’t been difficult. Max had convinced himself he was doing something positive for the Internet, so he hadn’t done much to cover his tracks.

The feds asked if anyone had known what Max was up to, and he said his boss was involved. Matt Harrigan—Digital Jesus—had not completely given up hacking himself, Max said, adding that Harrigan’s company was about to get a contract with the National Security Agency.
*

At the agents’ behest, Max wrote out a confession. “My motives were purely for research and ‘to see if it could be done,’ ” Max wrote. “I know this is no excuse, and believe me, I am sorry for it, but it’s the truth.”

Kimi came home from school to find the feds still tossing the house. Like grazing deer, they looked up in unison as she entered, dismissed her as unthreatening, and turned wordlessly back to their work. When they left, they hauled Max’s computer equipment with them.

The door closed, leaving the newlyweds alone in what was left of their home. An apology formed on Max’s lips. Kimi cut him off angrily.

“I told you not to get caught!”

The FBI agents saw an opportunity in Max’s crime. Trahon and Beeson returned to Max’s home and gave their former ally the score. If Max
hoped for leniency, he’d have to work for them—and writing reports wasn’t going to cut it anymore.

Eager to make amends and determined to salvage his life and career, Max didn’t ask for anything in writing. He took it on faith that if he helped the FBI agents, they would help him.

Two weeks later, Max got his first assignment. A gang of phone phreaks had just hijacked the phone system at the networking company 3Com and were using it as their own private teleconferencing facility. Beeson and Trahon could dial into the illicit chat line, but they doubted their ability to blend in with the hackers and gain any useful intelligence. Max studied up on the latest phone phreaking methods, then dialed into the system from the FBI’s field office while the bureau recorded the call.

Dropping the names of hackers he knew and drawing on his own expertise, Max easily persuaded the phone phreaks that he was one of them. They opened up and revealed that they were an international gang of about thirty-five phone hackers called DarkCYDE, living mostly in Britain and Ireland. DarkCYDE aspired to “unite Phreakers and Hackers all over the world into one big digital army,” according to the group’s blustery manifesto. But at root they were just kids playing with the phone, just as Max had done in high school. After the call, Beeson asked Max to stay close to the gang. Max chatted them up on IRC and turned over the logs to his handlers.

Pleased with Max’s work, the agents summoned him to the federal building in San Francisco a week later to brief him on a new assignment. This time, he’d be going to Vegas.

Max’s eyes moved over the nest of linen-clad card tables in the gaudy exhibit hall of the Plaza Hotel and Casino. Dozens of young men in T-shirts and shorts or jeans—the hacker’s uniform—were at the tables hunkered over a bank of computer workstations or standing on the sidelines, occasionally pointing at something on a screen.

To the untrained eye, it was a strange way to spend a weekend in Sin City—banging on keyboards like some anonymous cubical drone, far from the pool, the slots, and the shows. But the hackers were in pitched competition, working in teams to penetrate a clutch of computers hanging off a hastily erected network. The first team to leave their virtual marker in one of the targets would claim a $250 prize and valuable bragging rights—with points also awarded for hacking other competitors. New attacks and ruses were flowing from the hackers’ fingers, and secret, stockpiled exploits were being pulled from virtual armories to be used in public for the first time.

At Def Con, the world’s largest hacking convention, the Capture the Flag competition was Fischer vs. Spassky every year.

Kimi wasn’t impressed, but
Max was in heaven. Across the floor, more tables were cluttered with vintage computer gear, odd electronics, lock-picking tools, T-shirts, books, and copies of
2600: The Hacker Quarterly
. Max spotted Elias Levy, a famous white-hat hacker, and pointed him out to Kimi. Levy, aka Aleph One, was the moderator of the Bugtraq mailing list—the
New York Times
of computer security—and the author of a seminal tutorial on buffer overflows called “Smashing the Stack for Fun and Profit” that had appeared in
Phrack
. Max didn’t dare approach the luminary. What would he say?

Max wasn’t the only law enforcement mole at Def Con, of course. From its humble beginnings in 1992 as a one-off conference pulled together by a former phone phreak, Def Con had grown into a legendary gathering that drew nearly two thousand hackers, computer security professionals, and hangers-on from around the world. They came to party in person with comrades they’d befriended online, present and attend technical talks, buy and sell merchandise, and get very, very drunk in all-night bashes in the hotel rooms.

Def Con was such an obviously target-rich environment for the government that the organizer, Jeff “the Dark Tangent” Moss, had invented a new convention game called Spot the Fed. A hacker who thought he’d
identified a G-man in the crowd could point him out, make a case, and, if the audience concurred, take home a coveted
I SPOTTED THE FED AT DEF CON
T-shirt. Often the suspected fed would just give up and good-naturedly whip out a badge, giving the hacker an easy win.

Max’s mission was broad. Trahon and Beeson wanted him to chum up to his fellow hackers and try to get their real names, then lure them into exchanging public PGP encryption keys, which security-minded geeks use like sealing wax to encrypt and sign their e-mail. Max’s heart just wasn’t in it. Writing reports for the bureau was one thing, and he’d had no qualms about getting the goods on the DarkCYDE phreaks, who were too young to get in real trouble. But this assignment smelled like snitching. Personal loyalty was written deep into Max’s firmware, and one look at the Def Con crowd told him these were his people.

Many of the hackers were reluctantly giving up childish things, migrating into legitimate dot-com jobs or starting security companies. They were becoming white hats, like Max. A popular T-shirt at the conference summed up the mood:
I MISS CRIME
.

Max shrugged off the FBI’s edict and began attending the parties and the talks. On the roster this year was a much-anticipated software release by the Cult of the Dead Cow. The cDc were the rock stars of the hacker world—literally: They recorded and performed music and infused their conference presentations with over-the-top theatrics that made them media darlings. At this Def Con the group was unleashing Back Orifice, a sophisticated remote-control program for Windows machines. If you could trick someone into running Back Orifice, you could access their files, see what was on their screen, and even look through their webcam. It was designed to embarrass Microsoft for the shoddy security in Windows 98.

The crowd at the Back Orifice presentation was ecstatic, and Max found the energy infectious. But of more pragmatic interest to Max was a talk on the legalities of computer hacking by a San Francisco criminal defense attorney named Jennifer Granick. Granick opened her presentation
by describing the recent landmark prosecution of a Bay Area hacker named
Carlos Salgado Jr., a thirty-six-year-old computer repairman who, more than any other hacker, represented the future of computer crime.

From his room in his parents’ house in Daly City, a few miles south of San Francisco, Salgado had cracked a major technology company and stolen a database of eighty thousand credit card numbers, with names, ZIP codes, and expiration dates. Credit card numbers had been hacked before, but what Salgado did next assured him a place in the cybercrime history books. Using the handle “Smak,” he jumped into the #carding chat room on IRC and put the entire list up for sale.

It was like offering a 747 for sale at a flea market. At the time, the online credit card fraud underground was a depressing bog of kids and small timers who’d barely advanced beyond the previous generation of fraudsters fishing receipt carbons from the Dumpsters behind the mall. Their typical deals were in the single digits, and their advice to one another was tainted by myth and idiocy. Much of the conversation unfolded in an open channel where anyone in law enforcement could log in and watch—the carders’ only security was the fact that nobody would bother.

Remarkably, Salgado found a prospective buyer in #carding—a San Diego computer science student who’d been putting himself through college by counterfeiting credit cards, getting the account numbers from billing statements pilfered from the U.S. mail. The student had mob contacts who, he believed, would buy Smak’s entire stolen database for six figures.

The deal went south when Salgado, looking to perform a little due diligence, hacked his customer’s ISP and poked through his files. When the student found out, he got mad and secretly began working with the FBI. On the morning of May 21, 1997, Salgado showed up at a meeting with his buyer at the smoking lounge at San Francisco International Airport, where he expected to trade a CD-ROM containing the database for a suitcase packed with $260,000 in cash. Instead, he was arrested by the San Francisco computer crime squad.

The foiled plot was an eye-opener for the FBI: Salgado represented the first of a new breed of profit-oriented hacker, and he posed a threat to the future of e-commerce. Surveys showed that Web users were anxious about sending credit card numbers into the electronic ether—it was the number one thing holding them back from Internet purchasing. Now, after years of struggling to gain consumers’ trust and reward the faith of investors, e-commerce companies were starting to win over Wall Street. Less than two weeks before Salgado’s arrest, Amazon.com had launched its long-awaited initial public offering and ended the day $54 million richer.