Wednesday, September 12, 2007

Max Ray Butler in Trouble Again

In my first book I wrote the following on p 170:

WHO WROTE PRIVMSG?

The author of Privmsg served one year in prison after pleading guilty in a U.S. District Court to a single count of computer intrusion. In May 1998 he compromised numerous government, military, and academic servers running BIND and installed back doors on those systems. He was caught thanks to skillful use of session data by analysts at the AFCERT and by Vern Paxson from Lawrence Berkeley Labs. See http://www.lbl.gov/Science-Articles/Archive/bro-cyber.html for more information on Paxson’s use of Bro and the “boastful and self-justifying” e-mail the intruder sent to Paxson. For details on the intruder, see Wired’s account at http://www.wired.com/news/culture/0,1284,54838,00.html. Kevin Poulsen’s story at http://www.securityfocus.com/news/203 has more details.

The bottom line is it does not pay to inīŦltrate government machines -- especially Air Force servers or computers monitored by IDS researchers.


I didn't name Max Ray Butler (aka "Max Vision") as the author of Privmsg, but if you followed the stories you would have figured that out yourself.

I also didn't publicize this August 2002 post by Max to the SecurityFocus Jobs mailing list, subject line bay area security professional, $6.75/hr... Please read below!:

Greetings security employers:

I have an unusual situation that I would like to describe to you, and in doing so I am asking that anyone who can immediately employ me in the San Fransisco Bay Area, please read this email and consider taking advantage of my availablity and temporarily low cost.

I am...
o a seasoned professional with extensive security skills and experience
o a once convicted hacker (DOD, 1998)
o local to the San Fransisco Bay Area, I live in Oakland
o willing to work for mimimum wage (for the next two months)
o eager to work 60 hour weeks; I don't mind nights/weekends/holidays...

My Conviction (why I am desperate)

I am not proud of being convicted of a felony, but it is important that a potential employer know of my status. Apparently if you have FDIC insurance there is a clause stating that you cannot hire a convicted hacker on your projects. It is also because of my status that I am desperate for security-related or even internet-related work.

The truth is, I am living in a federal halfway house transitioning out of prison back into society. I have to find local work to meet their requirements, and they haven't approved any telecommute offers I have had so far. The director of the facility told me that if I don't find a job in the next week or so he will send me back to prison (my sentence actually ends October 12th)...

Sincerely,

Max Vision


That's one of the saddest and most pathetic posts I've ever read.

So where are we now, five years later? Check out Max Vision charged with hacking -- again:

In a five-count indictment unsealed on Tuesday, federal prosecutors allege that Butler ran a scheme to hack into computers at financial institutions and credit-card processing centers, stealing account information and selling the data to others. Butler also ran the online carders' forum, CardersMarket, under the name "Iceman" and "Aphex" as a way to coordinate illegal activities and meet people with similar interests, according to an affidavit penned by the U.S. Secret Service, which spearheaded the investigation...

During the 16-month investigation, the Secret Service maintained two confidential informants, one of which was an administrator on the CardersMarket forum. The informants gave the investigators an eye-opening view of the inner workings of the carders' world, the affidavit stated.

Butler purportedly used at least five different handles -- including "Iceman," "Aphex," and "Digits" -- in an attempt to confuse law enforcement and keep his administrative activities on CardersMarket separate from his outright illegal activities, the affidavit maintains...

A federal grand jury indicted Butler on charges of wire fraud and identity theft. If Butler is found guilty of all five charges, he could face up to 70 years in prison and a fine of $1.5 million, according to the U.S. Attorney's Office in Pittsburgh. Butler is currently being held in San Francisco until he appears in court on Monday.


I know Mr Butler is innocent until proven guilty in US courts, but human evidence gathered by informants is going to be tough to beat.

Show this post to your kids if they think "[malicious] hacking is cool." If you think "[malicious] hacking is cool," remember Mr Butler's fate the next time you break the law.

10 comments:

kurt wismer said...

this isn't just a post to show to your kids if they think malicious 'hacking' is cool; it's also a post to show to anyone who thinks hiring a (supposedly) former black-hat for a position in a security company is no problem...

sometimes bad people reform, but just as often they don't... whatever benefits one thinks one might be getting by picking up someone like this have to be weighed against the very real risk that they're still bad...

he may not have abused the trust of his employer (there wasn't enough info in the securityfocus piece to tell if he did or not) but he doesn't sound like the kind of person who'd have any qualms about it if a good opportunity arose...

Anonymous said...

Sound's like he got desperate as no one would hire him (as per policy) and turned to the darkside. From what it looks like he wasn't doing anything particularly malicious before he went to jail. Sure he was breaking into some high level computers but I haven't heard anything about him destroying computers/stealing credit cards etc back then. As that email to the admin said he was just interested in getting access not for any financial gain.

Then he goes to prison and comes out a changed person.

--Anonymous

Anonymous said...

Anonymous: very good point.

You have to wonder how many people actually actually get more desperate and willing to do more serious/worse things in jail. Heck, I'll bet some even spend their time learning about criminial activities in jail. Countries like Norway have rethought the jail system to turn it mainly into a rehabilitation system instead of a punishment system.

kurt wismer said...

from what i've read (i went on to read other pieces about him besides the securityfocus article linked to here) he actually was hired (as a consultant) after his release from prison...

as for his prior crime, i gather he didn't just break into those systems but also left backdoors to facilitate getting back in later... there may not have been a financial component but it was at a time before cybercrime as we now know it took off...

Richard Bejtlich said...

Hi Kurt,

If we want first-hand accounts of what happened, one of my friends might be compelled to say something here... (hint)

Richard Bejtlich said...

Ref: CardersMarket takedown, details, and confessions

Anonymous said...

I've got a felony for making ecstasy in 2000, when I was an undergraduate. I've got an MS in Molecular Biology (charges were brought long after crimes were committed), which is essentially useless now. I have no intention of ever doing anything illegal again, no matter how cushy people might make Federal Prison out to be it is still horribly unpleasant and nothing like the joys of freedom. However, I know in many countries criminal history is a matter between oneself and the state, not something for public record.

When you go through the halfway house you see lots of guys trying to make a new start, positive about living a legal lifestyle. But then you see them get their minimum wage jobs in factories, the feds are taking 25% of their paycheck for restitution, 25% to the halfway house, 25% for child support (which a majority are paying). I saw them and I knew many of them would turn back to selling drugs. They have absolutely no hope otherwise. They are permanently branded and barred from hundreds of occupations (Anything requiring a state license, from lawyers to barbers).

skelit0re said...

It seems most people here are totally CLUELESS as to who this infamous man actually IS. The people who all cash their paychecks at ALL major antivirus companies owe him a HUGE thanks, as do most future programmers because of the work he made PUBLIC. This is a sad sad sad day for the middle class, as this man was only trying to rise above poverty by "maybe" taking money that has already been stolen a thousand times over before he ever even THOUGHT about it? Anyone with enough money to have been a target of his got the money 100% honestly??? PLEASEEEE!! at least aphex has contributed to this entire cyber world in technology that i ASSURE YOU would not be here today if not for him...AND HE NEVER CHARGED A DIME FOR IT! You people are clueless, making scams, backdoors, all that crap is EVERYWHERE no matter where you go, and thats why computer owners were ONCE held to a higher standard of liability ine plain use of THEIR machine, in other words, if you dont know how to control your system, YOU ARE RESPONSIBLE FOR WHAT HAPPENS THROUGH IT!!! Because YOU took the responsibility by turning it on! Aphex's contributions to technology are absolutely not measurable! Stay strong aphex! you are needed! you would THINK someone could recognize your genius and USE it constructively. America has become exactly what we came here to get AWAY from. shame on my own country, i am so ashamed.

skelit0re said...

apparently not the same aphex thank god. anyway, the dude doesnt deserve what hes getting.

Anonymous said...

aphex? as in the downloader and hack-toolset? could the real aphex please stand up?
oh wait, he wrote for the wrong people too.