The underground market of carders. Translation of KingPIN. Chapter 7. “Max Vision”

Kevin Poulsen, editor of WIRED magazine, and a blackhat hacker Dark Dante as a child, wrote a book about " one of his acquaintances ."

The book shows the path from a teenage geek (but at the same time pitching) to a seasoned cyberpowder, as well as some methods of work of special services to capture hackers and carders.

The beginning and the translation plan are here: " Kingpin: students are translating a book about hackers ."

The logic of choosing a book for working with schoolchildren is as follows:

• books about hackers in Russian are few (one and a half)
• there are no books about carding in Russian at all ( UPD was found alone )
• Kevin Poulsen - WIRED editor, not a stupid fellow, authoritative
• to involve young people in translation and creativity on Habré and to receive feedback from seniors
• work in soldering schoolchildren-students-specialists are very effective for learning and shows the importance of work
• the text is not very hardcore and accessible to a wide range, but it touches on information security, vulnerabilities of payment systems, the structure of the carding underground, the basic concepts of Internet infrastructure
• the book illustrates that “feeding” in clandestine forums ends poorly

The translation of the book is over . This is the last tail. Now the chapters will go in order.

Who wants to help with translations of Paul Graham's cool essays - write in a personal magisterludi .

Chapter 7. “Max Vision”

(thanks for help with the translation to Valentin Anikeev)

When cooperation with the government ceased, Max, despite the oppression of the federal investigation, set about building a reputation for himself as a “white” hacker.

The disclosure of the vulnerability in BIND and the subsequent success of whitehats.com became a great help for Max. Now he positioned himself as a computer security consultant and created a website where he advertised his services. It was possible to hire Max for one hundred dollars an hour, and he helped non-profit organizations for free. His most powerful argument was one hundred percent penetration into the network under study - there were never any misfires.

It was a wonderful time for white hackers: the rebellious spirit that drove the open-source community into the realm of information security. College graduates and expelled students, former and current "black" hackers destroyed the foundations of computer security, which over the decades have become commonplace.

For example, the principle of hiding vulnerabilities in the security system and hacking methods, which were known only in a narrow circle of proxies, the "white" hackers called "security through obscurity." The new generation preferred "full disclosure" - since a joint discussion of security problems made it possible not only to quickly fix them, but also to learn from mistakes, which was beneficial for both hackers and security guards. Hushing up vulnerabilities was beneficial only to those guys who used them for personal gain and to corporations such as Microsoft, who preferred to fix their shameful code quietly.

The “full disclosure” movement spawned the Bugtraq mailing list, where hackers of any beliefs could publish a detailed account of the vulnerabilities found. Better yet, provide an exploit: code that demonstrates the existence of a vulnerability. Within the community, it was more ethical to first notify the developer and give him time to fix the vulnerability, and only then publish an exploit or report on Bugtraq. But Bugtraq itself was not involved in censorship, so it happened that a previously unknown bug got on the list and thousands of hackers and security experts recognized it in a few minutes. Such a maneuver guaranteed to attract the attention of the developer and prompt error correction. Thus, Bugtraq allowed hackers to demonstrate their skills without breaking the law.

One of the best such tools was developed at the end of 1998 by the former NSA cybersecurity contractor, Marty Roche. He decided it would be interesting to learn about random attacks that might slip through his home modem while Roche was at work. As a weekend project, he developed a packet sniffer called Snort and uploaded it to the open-source community.

At first, Snort was nothing special - sniffers that intercepted network packets and put them into a dump file for further analysis were widely used before. But a month later, Roche turned his program into a full-scale intrusion detection system (IDS), which alerted the operator as soon as he saw signs of an attack on the network, already known to the system. Several such proprietary systems were introduced to the market, but the versatility and distribution of Snort source codes immediately attracted the attention of “white” hackers who love to play with new utilities. Many enthusiasts immediately joined the project and began to increase the functionality of the program.

Max was delighted with Snort. This program was similar to BRO - a laboratory project to them. Lawrence at Berkeley, who helped track Max during his BIND attack. Max understood that this program could change the rules of the game in the world of Internet security. Now “white” hackers could watch in real time for anyone trying to exploit the vulnerability discussed on Bugtraq and other resources.

Snort was an early warning system - the same as the NORAD radar network to control America’s airspace, but only for computer networks. All that was missing was a comprehensive and up-to-date signature database of various attacks so that the program knew what to look for.

Over the next few months, the base was filling up disorganized. Each user added something of his own and bit by bit managed to assemble a table of about two hundred records. For one sleepless night, Max brought the number of records to 490, increasing its volume by more than double. Some entries were unique, others borrowed from the rules of Dragon IDS, a popular but closed system. Such rules are written based on the network activity of each attack, which allows it to be uniquely identified.

For example, the string “$ INTERNAL 31337 (msg: 'BackOrifice1-scan'; content: '| ce63 d1d2 16e7 13cf 38a5 a586 |';)” allows you to find a “black” hacker who is trying to use Back Orifice, a cult program from KVM, which impressed everyone present at the Def Con 6.0 rally. From this line, Snort understands that an incoming connection through port 31337 and an attempt to transmit a specific sequence of twelve bytes is a sign of using a backdoor.

Max uploaded the signatures as a single file on his whitehats.com website, mentioning in gratitude many security experts for their contribution, including Ghost32 - his own alter ego. He later expanded this file into a serious database and encouraged other specialists to add their own rules. He gave the base of these rules the vivid name arachNIDS (arachnids) - from the Advanced Archive of Indications, Detections and Patterns for Intrusion Detection Systems.

ArachNIDS instantly became popular and helped the Roche sniffer reach a new level. The more actively the “white” hackers filled the base, the more it became like an FBI database with fingerprints - it became easier to recognize any known virtual attack or its kind.

Max achieved recognition by analyzing and describing how Internet worms work in the same detail as he decomposed the ADM worm. The tech press even started looking for him to get comments on recent attacks. In 1999, Max joined a promising project that was aimed at black hackers. It was created by a former army officer who used the knowledge of military tactics to build a network of “dummy” computers (HoneyPots or honey pots) that were designed to be cracked. The HoneyNet project (a tidbit network) involved a hidden installation of a sniffer in a system that was released on the big Internet without any protection: just like a police officer in high heels and in a miniskirt on the corner of the street.

When a hacker tried to crack a HoneyPot, every step he took was carefully recorded and analyzed by security experts. And the results were openly published in accordance with the idea of ​​“full disclosure.” Max worked as a criminal investigator, restoring the course of crimes by intercepted packages and hacker actions. His “investigations” revealed some secret, previously unknown hacking techniques. But Max understood that his fluffy “whiteness” would not save from federal prosecution. At leisure, she and Kimi thought about this. They could escape together to Italy or to a quiet island, start all over again. Max would find a patron - someone with money who would appreciate his abilities and generously pay for hacking activities. The inactive presence of the government was a serious test of their relationship. If before they didn’t really plan their own future, now they couldn’t make any plans. Their future was now beyond their control and this uncertainty frightened. In private, they clawed, and in public they looked askance at each other.

“I signed a confession because we just got married and I didn’t want you to have any trouble,” Max said. He blamed himself for becoming a HoneyPot: marrying Kimi gave his enemies a very serious advantage.

Kimi moved from De Anza Community College to UC Berkeley, so they moved to the other side of the bay to live close to campus. The move was definitely successful for Max: in the spring of 2000, the Hiverworld company in Berkeley offered him to work in the popular dotcom, where other “Hungry Programmers” had already worked - now, however, satisfied and well-fed.

The company planned to create a new anti-hacker system that would not only detect hacking attempts, like Snort, but also actively scan the user's network for vulnerabilities so as not to exchange for catching attacks that still could not do much harm. The author of Snort, Marty Roche, was employee number 11. Max Vision was to be the twenty-first. The position, although weak, is promising. The first working day of Max was scheduled for March 21.

The American Dream, circa 2000.

On the morning of March 21, 2000, FBI agents knocked on Max's door. At first he thought it was the “grandfathers” of Hiverworld who decided to play him. No matter how!

“Don't answer them for anything!” He threw Kimi, grabbing the phone. He found a secluded place in case the agents would look out through the windows and dialed Granik to describe the situation: the indictment seemed to have finally been issued, the FBI agents wanted to put him in jail. What should he do now?

The agents, however, are gone. The arrest warrant did not provide for an invasion of Max's house, so he thwarted their plan without simply answering a knock on the door. Granik, for her part, had already called the attorney to try to arrange an appearance at the FBI office in Auckland. Max contacted his new boss, Hiverworld CTO, and informed him that he would not be able to go to work on his first day. He also promised to get in touch soon and explain himself.

Max's evening news was shocking: hacker Max Butler, suspected of computer hacking, was charged with fifteen points, including interception of confidential information, penetration of a computer network, and possession of stolen passwords.

Max spent two nights in jail, after which he was taken to federal judge San Jose to indict. Kimi, Tim Spencer and a good dozen Hungry Programmers filled the meeting room. Max was released on bail of one hundred thousand dollars: Tim wrote out a check for half the amount, and one of the "hungry" who made a fortune on the dotcom made cash in cash.

Information about the arrest stirred the computer security community. Hiverworld suddenly withdrew a job offer - not a single information security company should hire a person who is now accused of hacking. Everyone was worried about the fate of the base of the arachnids, which remained without a curator.

“This is his project,” Roche wrote on the mailing list. “Thus, forcibly changing the curator and giving the project to other hands is unacceptable.” Max answered in the same mailing list. He wrote extensively about his long-standing love of computers and the future development of intrusion detection systems. Max suggested that whitehats.com and the arachnids database would continue to exist by any means: “My friends and family provided me incredible support. And I receive various proposals for the development of projects up to vectors that probably will not be brought to good. "

He made himself a victim and spoke out sharply against the “barbaric hunt for hackers,” and Hiverworld blamed disloyalty: “When the veil was falling and the press began to show interest, Hiverworld decided to end our relationship. The corporation was scared, which is very sad. I can’t express all the disappointment that came over me when I realized that there was no and would not be expected support from Hiverworld. I am innocent until proven guilty. And I will be grateful to everyone in the community who is aware of this. ”

Six months later, Max pleaded guilty. This news was almost lost in the report due to a flurry of federal investigations. In the same month, Patrick “MostHateD” Gregory, the leader of a hacker gang called globalHell, was sentenced to twenty-six months in prison and paid a fine for a series of website defenses for a total of just over one and a half hundred bucks. At the same time, twenty-year-old Jason “Shadow Knight” Dickman was charged with hacking university systems and NASA, which he carried out for fun. And sixteen-year-old Jonathan “C0mrade” James received 16 months in prison for breaking into the networks of the Pentagon and NASA in his spare time — he was the first minor to be jailed.

On all sides, it seemed that now the feds are confidently opposing computer intrusions, which instilled fear in American corporations and government agencies. In fact, they fought against “yesterday's” cyber warriors - home, “bedside” hackers, whose appearance is almost extinct.

Even while Max was standing in the courtroom, the FBI was investigating a twenty-first century threat at a distance of five thousand miles, closely linked to the future of Max Vision.

To be continued