Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
Several of the Hungries wrote letters as well, as did Max’s mother and sister. In her note, Kimi pleaded eloquently for Max’s freedom. “He saved my life by helping me out of an abusive relationship and teaching me the meaning of self-respect,” she wrote. “He gave me shelter when I had no place to live. He took very good care of me when I was seriously ill, saving my life again by taking me to the emergency room when I protested that I was ‘fine’ even as I was dying.”
When the lawyers finished their arguments, Max spoke for himself, with the earnest politeness he always exhibited away from his computer. His attack, he explained, had been born of good intentions. He’d just wanted to close the BIND hole and had lost his head.
“I got swept up,” he said softly. “It’s hard to explain the feelings of someone who’s gotten caught up in the computer security field.… I felt at the time that I was in a race. That if I went in and closed the holes quickly, I could do it before people with more malicious intentions could use them.
“What I did was reprehensible,” Max continued. “I’ve hurt my reputation in the computer security field. I’ve hurt my family and friends.”
Judge Ware listened attentively but had already made up his mind. Letting Max off without a prison term would send the wrong message to other hackers. “There’s a need for those who would follow your footsteps to know that this can result in incarceration,” the judge said.
The sentence: eighteen months in prison, followed by three years of supervised release in which Max wouldn’t be allowed on the Internet without the permission of his probation officer.
The prosecutor asked the judge to order Max immediately taken into custody, but Ware denied the request and gave the hacker a month to put his affairs in order and turn himself in to the U.S. marshals.
• • •
Max and Kimi had moved to Vancouver, near her family, after his guilty plea. When they returned home, Max wasted no time arranging for Whitehats.com and arachNIDS to survive his incarceration. He set up automatic bill payments for his bandwidth and wrote out a list of items for Kimi to take care of in his absence. She was in charge of arachNIDS now, he said, indicating the server squatting on the floor of their apartment.
The couple adopted two kittens to keep Kimi company while he was gone, named for the swords from
Elric of Melniboné
. The orange boy-cat was Mournblade; the gray female was Stormbringer.
Max spent his last weekend of freedom in front of his keyboard, getting arachNIDS ready for Kimi’s stewardship. When Monday came he turned himself in on schedule. On June 25, 2001, he was locked in the county jail pending his shipment to his new home, Taft Federal Prison, a corporate-run facility owned by Wackenhut, positioned near a small town in central California.
As far as Max was concerned, it was another injustice, just like back in Idaho. He’d been sent back to prison not for his hacking but for refusing to set up Matt Harrigan. He was being punished for his loyalty, once again a victim of a capricious justice system. He doubted Judge Ware had even looked at the details of his case.
Kimi was adrift, alone for the first time since she’d met Max. For all his talk about staying with her forever, he’d chosen a course of action that guaranteed their separation.
Two months later,
Kimi was talking to him on the phone from prison when she heard a
pop!
and the smell of acrid smoke filled her nostrils. The motherboard on Max’s server had burst into flames. Max tried to calm her—all she had to do was replace the motherboard. He could do it in his sleep. Max talked her through the process, but Kimi was realizing she wasn’t cut out for life as the prison wife of a hacker.
In August, she went to the Burning Man festival in Nevada to forget her troubles. When she got home, she broke some bad news to Max over the phone. She’d met someone else.
It was another betrayal.
Max took the news with eerie calm, interrogating her about every detail: What drugs was she on when she cheated on him? What sexual positions did they use? He wanted to hear her ask for his forgiveness—he’d have given it to her in a heartbeat. But that wasn’t what she was asking for. She wanted a divorce. “I don’t know if you even think about the future anymore,” she said.
In search of closure, Kimi caught a flight to California and drove to Taft, where she sat nervously in the waiting room, her eyes playing over a wall of posters depicting Wackenhut’s network of hivelike prisons around the country. When Max was brought in, he took his place across the stainless steel picnic table in the visiting room and launched into an appeal. He did think of the future, he told her, and he’d been making plans in the joint.
“
I’ve been talking to some people,” he said, lowering his voice to a hush. “People I think I could work with.”
Jeffrey James Norminton was at the tail end of a twenty-seven-month stretch when Max met him in Taft. At thirty-four, Norminton had the stolid physical presence of a brawler, thick necked with an oversized forehead and a Kirk Douglas cleft in his chin. An alcoholic and an accomplished con man, he was a financial wizard who did his best work half-sober. He’d start chain-chugging Coors Lights as soon as he rolled out of bed, and by the end of the day he’d be useless, but in that sweet spot between the morning’s sobriety and the blurriness of midafternoon, Norminton was a master of the high-stakes con—a criminal rainmaker who could produce seven-figure sums from thin air.
Norminton’s latest caper had required little more than a telephone and a fax machine. The target had been the Entrust Group, a Pennsylvania investment brokerage house. On a summer day in 1997, Norminton picked up the phone and called a vice president at Entrust, adopting the persona of an investment manager at Highland Federal Bank, a real bank in Santa Monica, California.
Oozing confidence and charm, the swindler persuaded Entrust to buy into the bank’s high-yield certificates of deposit, promising the VP a healthy 6.20 percent return on a one-year investment. When Entrust eagerly wired $297,000 to Highland, the cash wound up in the account of a dummy corporation Norminton’s accomplice had set up under Entrust’s name. To the bank, the transaction looked like an investment house moving money from one branch to another.
The grifters promptly withdrew all but $10,000 of the cash and then ran the scam again, this time with Norminton’s partner making the phone call to the same VP and pretending to be from a different bank, City National, offering an even higher return. Entrust promptly sent two more transfers totaling $800,000.
Norminton was undone by his ambition. He sent his accomplice into City National to pull out $700,000 in a single cashier’s check. An investigator at the bank got suspicious and backtracked the incoming wire transfers to the real Entrust. At the next withdrawal, FBI agents were waiting. The financial mastermind was now cooling his heels in Taft. The only silver lining to his incarceration was that he’d met a talented hacker looking to get back at the system.
Norminton made it clear that he saw real potential in Max, and the pair took to walking the yard every day, swapping war stories and fantasizing about how they might work together when they hit the streets. With Norminton’s guidance, Max could easily learn to crack brokerage houses, where they’d tap into overstuffed trading accounts and drain them into offshore banks. One big haul and they’d have enough cash for the rest of their lives.
After five months, Norminton and his schemes were sent home to sunny Orange County, California, while Max remained at Taft with another year left on his sentence—long, tedious days of bad food, standing for count, and the sound of chains and keys.
In August 2002, Max was granted early release to a sixty-one-bed halfway house in Oakland, where he shared a room with five other ex-cons.
Kimi met with Max to present him with divorce papers. She was getting serious with the guy she’d met at Burning Man; it was time, she said, for Max to let her go.
Max refused to sign.
Max’s relative freedom at the halfway house was tenuous—the facility demanded that he obtain gainful employment or go back to prison, and telecommuting wasn’t allowed. He reached out to his old contacts in Silicon Valley and found his employability had been shattered by his high-profile hacking conviction and over a year in prison.
Desperate, he borrowed a laptop from one of the Hungry Programmers and banged out a message to an employment list watched by the computer security experts who had once admired him. “
I have been showing up at places that farm out manual labor, 5:30 am, and still haven’t found any work,” he wrote. “My situation is just ridiculous.” He offered his services at fire-sale prices. “I am willing to work for minimum wage for the next few months. Surely there is some open position at a security company in the area.… The last half dozen employers I have had paid me at least $100/hr for my time, now I am only asking for $6.75.”
A consultant answered the plea, agreeing to let Max work out of his home office in Fremont, a short BART ride from the halfway house. He’d pay ten dollars an hour for Max to help build servers, a throwback to Max’s first job for his father as a teen. Tim Spencer loaned Max a bike to pedal to the train station every day. Max was freed from the halfway house after two months, and the Hungry Programmers once again stepped up to provide him with shelter. He moved into an apartment in San Francisco shared by Chris Toshok, Seth Alves—a veteran of the Meridian master-key adventure—and Toshok’s ex-girlfriend Charity Majors.
Despite the jailhouse fantasies he and Norminton had hatched, Max was determined to go straight. He resumed his search for work. But the job offers failed to pour in for the ex-con.
Even the Honeynet Project, to which he’d donated his expertise just a couple of years earlier, shunned him.
His lot began improving in other ways: He started dating his housemate Charity Majors, a fellow Idaho refugee who designed herself like an
avatar from a virtual world, painting her fingernails like Skittles—each a different color—and wearing contact lenses that tinted her eyes an impossible emerald. Money was tight for both of them: Charity worked as a system administrator for a porn website in Nevada, earning Silver State wages that were stretched thin in San Francisco. Max was nearly broke.
One of Max’s former clients in Silicon Valley tried to help by giving Max a $5,000 contract to perform a penetration test on the company’s network. The company liked Max and didn’t really care if he produced a report, but the hacker took the gig seriously. He bashed at the company’s firewalls for months, expecting one of the easy victories to which he’d grown accustomed as a white hat. But he was in for a surprise. The state of corporate security had improved while he was in the joint. He couldn’t make a dent in the network of his only client. His 100 percent success record was cracking.
“I’ve never failed to get into a system before,” Max told Charity in disbelief.
“Sweetie, you haven’t touched a computer for years,” she said. “It’ll take you a little while. Don’t feel like you have to get in today.”
Max pushed harder, only becoming more frustrated over his powerlessness. Finally, he tried something new. Instead of looking for vulnerabilities in the company’s hardened servers, he targeted some of the employees individually.
These “client side” attacks are what most people experience of hackers—a spam e-mail arrives in your in-box, with a link to what purports to be an electronic greeting card or a funny picture. The download is actually an executable program, and if you ignore the warning message on your Windows machine and install the software, your computer is no longer your own.
In 2003 the dirty secret of these attacks was that even savvy users who knew better than to install foreign software could be broadsided. “Browser bloat” was largely to blame. In the nineties a fierce battle with Netscape for control of the browser market had driven Microsoft to stuff Internet
Explorer with unnecessary features and functionality. Every added capability expanded the attack surface of the browser. More code meant more bugs.
Now Internet Explorer holes were constantly surfacing. They were usually discovered by one of the good guys first: Microsoft’s own programmers or a white hat who often, but not always, warned the company before detailing the hole on Bugtraq.
But once a hole was public, the race was on. Black hats worked to exploit the bug by setting up Web pages serving the attack code and then tricking victims into visiting them. Just looking at the Web page would yield control of the victim’s computer, without any outward sign of infection. Even if the bugs were not made public, the bad guys could figure them out by reverse-engineering the vulnerability from Microsoft’s patches. Security experts had been watching with dismay as the time between a vulnerability’s announcement and its exploitation by black hats shrank from months to days. In the worst-case scenario, the black hats found a bug first: a “zero day” vulnerability that left the good guys playing catch-up.
With new Microsoft patches coming out nearly every week, even vigilant corporations tended to lag in installing them, and average users often didn’t patch at all.
A global survey of one hundred thousand Internet Explorer users conducted around the time of Max’s effort found that 45 percent suffered from unpatched remote access vulnerabilities; narrowing the field to American users cooled the number only slightly, to 36 percent.
Max’s attack was effective. After securing access to an employee’s Windows machine, he hopped on the company’s network from the inside, grabbed some trophies, and popped out like the chest-bursting monster in
Alien
.
“It was then that I decided to scrap my old model of penetration testing and include client-centric attack as a mandatory part of the exercise,” he later wrote a white-hat colleague. “I’ve been confident about the 100 percent rate ever since.”
But instead of gratitude, Max’s final report was greeted with outrage. Using a client-side attack in a penetration test was almost unseemly; if you were hired to test physical security at a company’s corporate headquarters, you wouldn’t necessarily feel free to burglarize an employee’s home to steal the keys. The client gave him a tongue-lashing; they’d paid Max to attack their servers, not their employees.