Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (7 page)

Salgado’s IPO was higher: The credit card companies determined the total spending limits on his eighty thousand cards amounted to over a billion dollars—$931,568,535 if you subtracted the legitimate owners’ outstanding balances. The only thing he’d been missing was a NASDAQ to trade on. Once the underground figured out that part of the equation, it would be an industry of its own.

As soon as Salgado was arrested, he’d confessed everything to the FBI. That, Granick told the Def Con hackers in her presentation, was his big mistake. Despite his cooperation, Salgado had been sentenced to thirty months in prison earlier that year.

“Now, the FBI wanted me to tell you that it was good for Mr. Salgado that he talked.” Granick paused. “That’s bullshit.

“Just say no!” she said, and cheers and whistles swelled from the audience. “There’s never any good reason to talk to a cop.… If you’re going to cooperate, you’re going to cooperate after consulting with a lawyer and cutting a deal. There’s never any reason to give them information for free.”

In the back of the room, Kimi prodded Max in the ribs with her elbow. Everything Granick was advising computer intruders not to do, Max had done. Everything.

Max was having second thoughts about his arrangement with the feds.

•  •  •

“We need to make some changes in the way we do business.”

Max could feel the frustration radiating from his screen as he read the latest note from Chris Beeson. Max had returned from Def Con empty-handed and then blown off a meeting at the federal building at which he was supposed to get a new assignment, pissing off Beeson’s supervisor, Pete Trahon. Continuing his e-mail, Beeson warned Max of dark consequences for continued flakiness. “In the future, missed appointments without exceptional reasons will be considered uncooperative on your part. If you are not willing to cooperate then we HAVE to take the appropriate actions. Pete is meeting with the prosecutor on YOUR case Monday. He wants to meet with you promptly in our office at 10:00am sharp, MONDAY 8/17/98. I am not available next week (that is why I wanted to meet with you this week) so you’re going to have to deal directly with Pete.”

This time, Max showed up. Trahon explained that he’d become interested in Max’s boss at MCR, Matt Harrigan. The agent was alarmed at the idea of a hacker running a cybersecurity shop staffed with other hackers, like Max, and vying for a contract with the NSA. If Max wanted to make the FBI happy, he had to get Harrigan to admit he was still hacking and had played a role in Max’s BIND attack.

The agent gave Max a new form to sign. It was Max’s written consent to wire him for sound. Trahon handed him a bureau-issued recording device disguised as a pager.

On the way home, Max pondered the situation. Harrigan was a friend and fellow hacker. Now the FBI was asking Max to perform the ultimate betrayal—to become Digital Jesus’s real-life Judas.

The next day, Max met Harrigan at a Denny’s diner in San Jose, without the FBI wire. His eyes scanned over the other diners and looked out the window into the parking lot. There could be feds anywhere.

He pulled out a piece of paper and slipped it across the booth. “Here’s what’s going on.…”

Max phoned Jennifer Granick after the meeting—he’d gotten her card at the conclusion of her Def Con talk—and she agreed to represent him.

When they learned Max had lawyered up, Beeson and Trahon wasted no time in officially dropping him as an informant. Granick began phoning the FBI and the prosecutor’s office to find out what the government had planned for her new client. Three months later she finally got an answer from the government’s top cybercrime prosecutor in Silicon Valley. The United States was no longer interested in Max’s cooperation. He could look forward to going back to prison.

ith his government service at an end, Max went to work building his reputation as a white-hat hacker, even as he lived under the sword of Damocles of a pending federal indictment.

The BIND vulnerability and the resultant success of Whitehats.com had given him a running start. Now Max hung up his own shingle as a computer security consultant, erecting a new website touting his services as a hacker for hire at one hundred dollars an hour—or free to nonprofit groups. His chief selling point: a 100 percent success rate in penetration tests. He had never once confronted a network he couldn’t crack.

It was an exciting time to be a white hat. The rebellious spirit that drove the open-source software movement was planting itself in the computer security world, and a new crop of college graduates, dropouts, and former and current black hats was upending the conservative assumptions that had dominated security thinking for decades.

First to be dustbinned was the tenet that security holes and attack methods should be kept quiet, held privately among a cadre of trusted responsible adults. The white hats called this notion “security through obscurity.” The new generation preferred “full disclosure.” Discussing security problems widely not only helped get them fixed, but it also advanced the science of security, and hacking, as a whole. Keeping bugs private only benefited two groups: the bad guys who were exploiting them, and vendors
like Microsoft that preferred to fix security holes without confessing the details of their screwups.

The full-disclosure movement spawned the Bugtraq mailing list, where hackers of any hat color were encouraged to send in detailed reports of security flaws they’d found in software. If they could provide an “exploit”—code that demonstrated the flaw—so much the better. The preferred path to full disclosure was to first notify the software maker and give that company time to issue a patch before releasing the flaw or exploit on Bugtraq. But Bugtraq didn’t censor, and it was common for a bug finder to drop a previously unknown exploit onto the list, releasing it simultaneously to thousands of security researchers and hackers in the span of minutes. The maneuver was all but guaranteed to kick a software company into rapid response.

Bugtraq provided hackers with a way to show off their expertise without breaking the law. The ones who were still cracking systems had an invigorated white-hat community to deal with, armed with a growing arsenal of defensive tools.

In late 1998, a former NSA cybersecurity contractor named Marty Roesch developed one of the best. Roesch thought it would be fun to see what random attacks were crossing his home cable modem connection while he was at work. As a weekend project, he cranked out a packet sniffer called Snort and released it as an open-source project.

At first, Snort was nothing special—a packet sniffer is a common security tool that eavesdrops on the traffic crossing a network and dumps it to a file for analysis. But a month later, Roesch turned his program into a full-blown intrusion detection system (IDS), which would alert the operator whenever it spotted network traffic that matched the signature of a known attack. There were a number of proprietary IDSs on the market, but Snort’s versatility and open-source licensing instantly appealed to the white hats, who loved nothing more than tinkering with a new security tool. Volunteer programmers jumped in to add functionality to the program.

Max was excited by Snort. The software was similar to BRO, the Lawrence Berkeley lab project that had helped sniff out Max’s BIND attack, and Max knew it could be a game changer for online security. Now white hats could watch in real time for anyone trying to exploit the vulnerabilities discussed on Bugtraq and elsewhere. Snort was like an early-warning system for a network—the computer equivalent of the NORAD radar mesh that monitors America’s airspace. All it was lacking was a comprehensive and up-to-date list of attack signatures, so the software would know what to look for.

In the first few months after Snort’s release, a disorganized trickle of user-created signatures put the total number at about 200. In a single sleepless night, Max more than doubled the count, whipping up 490 signatures. Some were original, others were improved versions of the existing rules or ports from Dragon IDS, a popular proprietary system. Writing a rule meant identifying unique characteristics in the network traffic produced by a particular attack, like the port number or a string of bytes. For instance, the incantation
alert udp any any -> $INTERNAL 31337 (msg:“BackOrifice1-scan”; content:“|ce63 d1d2 16e7 13cf 38a5 a586|”;)
detected black hats trying to use the Cult of the Dead Cow’s Back Orifice malware that had so transfixed the crowd at Def Con 6.0. It told Snort that an incoming connection to port 31337, with a particular string of twelve bytes in the network traffic, was someone trying to exploit the back door.

Max put the signatures online as a single file on Whitehats.com, crediting a handful of other security geeks for their contributions, including Ghost23—a nod to his alter ego. Later, he converted the file to a full-fledged database and invited other experts to contribute their own rules. He gave the project the catchy name arachNIDS, for Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems.

ArachNIDS was a hit and helped Snort surge to new levels of popularity in the security community, with Max Vision riding the swell to security stardom. As more white hats contributed to the project, it became
the computer-security equivalent of the FBI’s fingerprint database, capable of identifying virtually every known attack technique and variant. Max built on his success by writing papers dissecting Internet worms with the same clear eye he’d applied to the ADM worm. The technology press started seeking him out for comment on the latest attacks.

In 1999, Max injected himself into another promising venture aimed directly at tricking black-hat hackers. The Honeynet Project, as it would later be called, was the work of a former Army officer who applied his interest in military tactics to erect network “honeypots”—decoy computers that served no purpose but to be hacked. The Honeynet Project would secretly wire a packet sniffer to the system and place it unprotected on the Internet, like an undercover vice cop decked out in pumps and a short skirt on a street corner.

When a hacker targeted a honeypot, his every move would be recorded and then analyzed by security experts, with the results released to the world in the spirit of full disclosure. Max delved into the forensic work, reconstructing crimes from raw packet data and producing cogent analyses that blew the lid off some of the underground’s concealed techniques.

But Max knew his rising recognition as a white hat wouldn’t save him from the federal grand jury. In quiet moments, he fantasized with Kimi about escaping his fate. They could run off together, to Italy or some remote island. They’d start over. He’d find a benefactor, someone with money who recognized Max’s talent and would pay him to hack.

The couple’s relationship was suffering under the weight of the government’s silent looming presence in their life. Before the raid, they hadn’t much planned for the future. Now they couldn’t. The future had been taken out of their control, and the uncertainty was toxic. They fought in private and snipped at each other in public. “
The reason I signed the confession is because we’d just gotten married, and I didn’t want to hurt you,” Max said. He blamed himself, he added. By getting married, he’d given his enemies a weapon to use against him, a fatal flaw.

Kimi transferred from De Anza, a community college, to UC Berkeley, and the couple moved across the bay to live just off campus. The move proved fortuitous for Max. In the spring of 2000, a Berkeley company named Hiverworld offered him a long-awaited shot at the dot-com success that had already graced other Hungry Programmers. The company’s plan was to create a new antihacking system that would detect intrusions, like Snort, but also actively scan the user’s network for vulnerabilities, allowing it to ignore malicious volleys that had no chance of success. Snort author Marty Roesch was employee number 11. Now the company wanted Max Vision as number 21.

Max’s first day was set for March 21. It was an early position at a promising technology start-up. The American dream, circa 2000.

On the morning of March 21, 2000, the FBI knocked on Max’s door.

At first he thought it was a Hiverworld hazing, a practical joke. It wasn’t. “Just don’t answer it!” he said to Kimi. He grabbed a phone and found a hiding place, in case the agents peered through the windows. He dialed Granick and told her what was happening. The indictment must have finally come down. The FBI was there to take him to jail. What should he do?

The agents left—their arrest warrant didn’t authorize them to crash into Max’s home, so he’d temporarily thwarted them by the simple act of not answering the door. On her end, Granick called the prosecutor to try to arrange for a civilized self-surrender at the FBI field office in Oakland. Max contacted Hiverworld’s CTO, his new boss, to report that he wouldn’t be showing up for his first day at work. He’d be in touch in a day or two to explain everything, he said.