Underground carders market. Translation of the book "KingPIN". Chapter 7. “Max Vision”

Kevin Poulsen, editor of the magazine WIRED, and in his childhood blackhat, the hacker Dark Dante, wrote a book about " one of his acquaintances ."

The book shows the path from a teenager-geek (but at the same time pitching) to a mature cyber-plower, as well as some methods of the work of the special services to catch hackers and carders.

The beginning and the translation plan are here: “ Shkvoren: schoolchildren translate a book about hackers ”.
')
The logic of choosing a book for working with schoolchildren is as follows:

• there are few books about hackers in Russian (one and a half)
• There are no books about carding in Russian at all (there was one UPD )
• Kevin Poulsen - WIRED Editor, No Stupid Comrade, Authoritative
• to introduce young people to the translation and creativity on Habré and get feedback from elders
• schoolchildren-students-specialists work in spike very effectively for training and shows the significance of the work
• The text is not very hardcore and is accessible to a wide range, but it touches on issues of information security, vulnerabilities of payment systems, the structure of the carding underground, basic concepts of the Internet infrastructure
• the book illustrates that "feeding" in underground forums - ends badly

The translation of the book is over . This is the last "tail." Now the chapters will go in order.

Who wants to help with Paul Graham's cool essay translations - write in a personal magisterludi .

Chapter 7. “Max Vision”

(for help with the translation, thanks to Valentin Anikeev)

When cooperation with the government stopped, Max, despite the oppression of the federal investigation, began to build up his reputation as a “white” hacker.

Vulnerability discovery in BIND and the success of whitehats.com that followed were a great help for Max. Now he positioned himself as a computer security consultant and created a website where he advertised his services. It was possible to hire Max for a hundred dollars an hour, and he helped non-profit organizations for free. His most powerful argument was one hundred percent penetration into the network under investigation - there were no misfires.

It was a great time for “white” hackers: the rebellious spirit that drove the open-source community penetrated the sphere of information security. College graduates and expelled students, former and current “black” hackers destroyed the foundations of computer security, which over the decades have become commonplace.

For example, the principle of hiding vulnerabilities in the security system and hacking methods, which were known only to a narrow circle of trusted representatives, was called by “white” hackers “security through obscurity”. The new generation preferred “full disclosure” - as a joint discussion of security issues allowed not only to promptly correct them, but also to learn from mistakes, which was beneficial to both hackers and security guards. Hushing up vulnerabilities was useful only for those guys who used them for mercenary purposes and for corporations like Microsoft, who preferred to fix their shameful code in a quiet way.

The “full disclosure” movement spawned the Bugtraq mailing list, where hackers of any conviction could publish a detailed report on the vulnerabilities found. Better yet, provide an exploit: code that demonstrates the presence of a vulnerability. Within the community, it was more ethical to first notify the developer and give him time to fix the vulnerability, and only then publish an exploit or report on Bugtraq. But Bugtraq itself was not engaged in censorship, so it happened that a previously unknown bug got into the list and in a few minutes thousands of hackers and security specialists learned about it. Such a maneuver guaranteed attracting the attention of the developer and prompt correction of errors. Thus, Bugtraq allowed hackers to demonstrate their skills without breaking the law. The crackers now resisted the actively developing “white” hacker community and their growing arsenal of defensive tools.

One of the best tools of this kind was developed by Marty Roche, a former NSA cybersecurity department contractor at the end of 1998. He decided that it would be interesting to learn about random attacks that could slip through his home modem while Rosh was at work. As a weekend project, he developed a batch sniffer called Snort and uploaded it to the open-source community.

At first, Snort was nothing special - the sniffers who intercepted network packets and put them into a dump file for further analysis were widely used before. But a month later, Roche turned his program into a full-scale intrusion detection system (IDS), which alerted the operator, barely seeing the signs of an attack in a network already known to the system. Several such proprietary systems were introduced to the market, but the universality and distribution of Snort source codes immediately attracted the attention of “white” hackers who love to play with new utilities. Many enthusiasts immediately joined the project and began to increase the functionality of the program.

Max was delighted with Snort. This program was similar to BRO - a project of the laboratory to them. Lawrence in Berkeley, who helped track down Max during his BIND attack. Max understood that this program is capable of changing the rules of the game in the world of Internet security. Now “white” hackers could watch in real time for everyone who tries to use the vulnerability discussed on Bugtraq and other resources.

Snort was an early warning system - just like the NORAD radar network to monitor America’s airspace, but only for computer networks. What was missing was a thorough and up-to-date signature base of various attacks, so that the program knew what to look for.

Over the next several months, the base was filled disorganized. Each user added something of his own and managed to assemble a table of about two hundred entries bit by bit. In one sleepless night, Max brought the number of records to 490, increasing its volume more than twice. Some records were unique, others borrowed from the rules of Dragon IDS - a popular, but closed system. Such rules are written on the basis of the network activity of each attack, which allows you to uniquely identify it.

For example, the line “$ INTERNAL 31337 (msg: 'BackOrifice1-scan'; content: | ce63 d1d2 16e7 13cf 38a5 a586 | ';)” allows you to detect a “black” hacker who is trying to use Back Orifice - a cult program from KMK that struck all those present at the meeting of Def Con 6.0. From this line, Snort realizes that an incoming connection through port 31337 and an attempt to transmit a certain sequence of twelve bytes is a sign of the use of a backdoor.

Max posted signatures in a single file on his whitehats.com website, mentioning many security experts for their contributions, including Ghost32 - his own alter ego. Later he expanded this file into a serious database and encouraged other specialists to add their own rules. He gave the base of these rules the bright name arachNIDS (arachnids) - from the Advanced Archive of Directions, Detections and Patterns for Intrusion Detection Systems.

ArachNIDS instantly became popular and helped Roche to a new level. The more actively the “white” hackers filled the base, the more it became similar to the FBI base with fingerprints - it became easier to recognize any known virtual attack or its version.

Max achieved recognition by examining and describing how Internet Worms work in the same way as he laid out the ADM worm. The techno-press has even started looking for him to get comments on recent attacks. In 1999, Max joined a promising project that was aimed at “black” hackers. He was created by a former army officer who used the knowledge of military tactics to build a network of “dummy” computers (Honeypots or honey pots) that were meant to be hacked. The HoneyNet project (a tasty network) assumed a hidden installation of a sniffer in a system that was released on the large Internet without any protection: just like an employee of the police in heels and in a miniskirt at the corner of the street.

When a hacker tried to crack HoneyPot, his every step was carefully recorded and analyzed by security experts. And the results were openly published in accordance with the idea of ​​“full disclosure”. Max worked in the role of a criminalist, detective, restoring the course of crimes on the intercepted packets and actions of the hacker. His “investigations” revealed some secret, previously unknown hacking techniques. But Max understood that his fluffy “whiteness” would not save him from a federal charge. At leisure, he and Kimi thought about it. Together they could have escaped to Italy or to a quiet island, start all over again. Max would find a patron - someone with money, who would appreciate his abilities and generously pay for hacking activities. The inactive presence of the government has become a serious test of their relationship. If earlier they didn’t really plan their own future, now they couldn’t make plans. Their future was now beyond their control and this uncertainty frightened them. Alone, they snipped, and in public looked askance at each other.

“I signed a confession because we only got married and I didn’t want you to get into trouble,” Max said. He blamed himself for becoming a HoneyPot himself: marrying Kimi gave his enemies a very serious advantage.

Kimi transferred from De Anza Community College to the University of California at Berkeley, so they moved to the other side of the bay to live near campus. The move was definitely a good one for Max: in the spring of 2000, Hiverworld in Berkeley offered him to work in a popular dot-com, where other “Hungry Programmers” were already working - now, however, happy and well-fed.

The company planned to create a new anti-hacker system that would not only detect hacking attempts, like Snort, but also actively scan the user's network for the presence of vulnerabilities so as not to waste time on catching attacks that would still not harm. The author of Snorta - Marty Roche - was the employee at number 11. Max Vision was to be the twenty-first. Position, though weak, but promising. Max's first working day was scheduled for March 21.

The American Dream, around 2000.

On the morning of March 21, 2000, FBI agents knocked on Max’s door. At first, he thought it was the “grandfathers” from Hiverworld who decided to play it. No matter how wrong!

- Do not answer them! - He threw Kimi, grabbed the phone. He found a secluded place in case the agents would look out for him through the windows and dialed Granik to describe the situation: the indictment seemed to be finally issued, the FBI agents want to put him in jail. What should he do now?

The agents, however, are gone. The arrest warrant did not provide for an invasion of Max’s house, so he thwarted their plan, simply not responding to a knock at the door. Granik, on her part, had already called the prosecutor to try and arrange for her to appear at the FBI office in Auckland. Max contacted his new boss - the technical director of Hiverworld - and told him that he would not be able to go to work on his first day. He also promised in the near future to get in touch and explain.

Max's evening news shocked: a suspected computer hacker, Max Butler, was charged with fifteen points, including interception of confidential information, intrusion into a computer network and possession of stolen passwords.

Max spent two nights in prison, after which he was brought to federal judge San José, to be charged. Kimi, Tim Spencer and a good dozen of Hungry Programmers filled the boardroom. Max was released on bail of one hundred thousand dollars: Tim wrote a check for half the amount, and the rest paid in cash to one of the “hungry” who had made a fortune on the dotcom.

The arrest information stirred up the computer security community. Hiverworld suddenly recalled a job offer - no information security company should hire a person who is now accused of hacking. All worried about the fate of the arachnoid base, which remained without a curator.

“This is his project,” Roche wrote on the mailing list. “Thus, it is unacceptable to forcibly change the curator and give the project to other hands.” Max answered in the same ezine. He wrote extensively about his long-time love of computers and the future development of intrusion detection systems. Max suggested that the existence of whitehats.com and the arachnoid base would continue by any means: “My friends and family gave me incredible support. And I receive various proposals for the development of projects, up to such vectors, which certainly will not bring to the good. ”

He presented himself as a victim and spoke out sharply against the “barbaric hunt for hackers,” and Hiverworld accused of disloyalty: “When the curtain was asleep and the press began to show interest, Hiverworld decided to end our relationship. Corporation strusila, which is very sad. I can not express all the frustration that seized me when I realized that support from Hiverworld is not and is not expected. I am innocent until my guilt is proven. And I will be grateful to everyone in the community who is aware of this. ”

Six months later, Max pleaded guilty. This news is almost lost in the summary because of the squall of federal investigations. In the same month, Patrick “MostHateD” Gregory, the leader of the hacker gang called global Hell, was sentenced to twenty-six months in prison and paid a fine for a series of site defaces totaling just over one hundred and fifty thousand dollars. At the same time, twenty-year-old Jason “Shadow Knight” Dickman was charged with hacking into university systems and NASA, which he did for fun. And sixteen-year-old Jonathan “C0mrade” James received 16 months in prison for breaking into the Pentagon network and NASA in his spare time — he was the first juvenile imprisoned for hacking.

From all sides, it seemed that now the feds were confidently resisting computer intrusions that were fearful to American corporations and government agencies. In fact, they fought against “yesterday's” cyber warriors — domestic, “bedside” hackers, whose views were almost extinct.

Even when Max was standing in the courtroom, the FBI investigated a twenty-first-century threat over a distance of five thousand miles, closely related to the future Max Vision.

To be continued