Digg this story   Add to del.icio.us  
"White Hat" Hacker in Court
Kevin Poulsen, SecurityFocus 2000-04-13

Open source hacker "Max Vision" aided the FBI while allegedly cracking the Pentagon.

A 27-year-old computer security expert and former FBI source returned to federal court in San Jose, California Wednesday, where he stands accused of penetrating a string of defense department and civilian computers.

Max Butler, known as "Max Vision" to friends and associates, was slammed with a fifteen count indictment last month charging him with interception of communications, computer intrusion and possession of stolen passwords in connection with an alleged hacking spree in the Spring of 1998. At Wednesday's appearance, Judge James Ware set a new date of May 8th for laying down the timetable of deadlines and court appearances that lead to trial.

Butler's indictment sent shockwaves through the close-knit community of computer security experts who specialize in the arcane science of intrusion detection - the careful analysis of Internet traffic for "signatures" indicative of an attack. Butler is noted for creating and maintaining arachNIDS, an open source catalog of attack signatures that could be thought of as a clearinghouse of clues for Internet cybersleuths, and is part of an overall public resource that Butler created at WhiteHats.com.

In the parlance of hackers, "white hats" are ethical and law abiding -- distinguishable from "black hats" who crack computers without permission, and "gray hats" who fall somewhere in between.

Martin Roesch, Director of Forensic Systems at network security startup Hiverworld, says that until last month, there was no doubt what color Butler's "hat" was. "He donated an immense amount of time to open source security, and he did a hell of a job." says Roesch. "Everyone's using arachNIDS."

Roesch recruited Butler to join Hiverworld as Vulnerability Engineer, luring him away from the consulting work and penetration testing he performed as Max Vision Network Security. According to Hiverworld, Butler passed a background check, and was to start work on March 21st. He didn't make it.

"The day he was supposed to start he said he was unable to come in... and that he would catch up with me in a day or two," recalls Hiverworld CTO David Cruickshank. "That night, I had fallen asleep with the TV on, and I woke up when I heard his name on the news."

Known Vulnerability
Butler self-surrendered to authorities on March 21st, the day he was to begin his new job. He's charged with cracking systems at McChord Air Force Base, NASA's Marshall Space Flight Center, the Argonne and Brookhaven National Labs, IDSoftware, and an unspecified Defense Department system. Another count alleges he unlawfully possessed 477 customer passwords from Aimnet, an ISP.

He plead not-guilty, and was released on March 24th on $100,000 in signature and property bonds posted by friends in the open source community, a dozen of whom reportedly flocked to the courtroom in support of Butler.

According to an FBI affidavit dated July 2nd, 1998, executed by agent Peter Trahon of the Bureau's San Francisco Computer Crime Squad, the investigation that led to Butler began in May of that year, when the Defense Department began suffering a rash of intrusions exploiting a "recently discovered" vulnerability in a common piece of software called BIND.

The devastating security hole formally known as the "iquery BIND Buffer Overflow vulnerability" was publicly announced by Carnegie Mellon's Computer Emergency Response Team (CERT) on April 8th, 1998, by which time a new version of BIND without the bug was available. But a month later, according to the affidavit, hackers were still using it to crack Air Force systems, nuclear laboratories, the U.S. Departments of Commerce, Transportation and the Interior, as well as the National Institute of Health.

According to the statement, on May 21st, 1998 an Air Force investigator tracked an intruder from McChord Air Force Base back to a computer at Los Angeles Community College, which proved to be a staging ground for BIND buffer overflow attacks on military sites all around the country. Connection logs obtained from the college under a court order lead to a particular Internet address at an ISP, where records obtained under a second court order completed the trace to Max Butler's home telephone number.

The telephone number was familiar to the FBI. "Max Butler is well known to the [agents] of the Computer Crime Squad," the 1998 affidavit reads. "Butler has been a confidential source... for the FBI for approximately 2 years. He has provided useful and timely information on computer crimes in the past."

The affidavit notes that their source "has the ability to develop techniques for, and commit, a sophisticated computer intrusion such as the ones described herein."

"Hacker Witch-Hunt"
The FBI searched Butler's home on July 2nd, 1998. But according to his lawyer, the raid didn't stop the Computer Crime Squad from returning to Butler for more help.

Defense attorney Jennifer Granick, says her client's cooperation with the FBI never involved informing on other people. "They used him for technological help, and then they pressured him to do more than that, and to do things he didn't want to do," says Granick. "They continued to seek his assistance even after he became a suspect in this case."

"The government then turns around in court and says he's dangerous and he's a flight risk, even though they had continued to want to work with him," says Granick, who declined to comment on other details of the case.

Assistant U.S. Attorney Ross Nadel -- Butler's prosecutor and the head of Silicon Valley's "Computer Hacking and Intellectual Property" (CHIP) unit -- didn't return phone calls Wednesday.

Butler is under advice from Granick not to speak to the press, and he didn't answer an email inquiry. But in an April 3rd message to an intrusion detection forum, Butler commented on what he termed the "frenzy of the hacker witch-hunt."

"I am innocent until proven guilty and would appreciate the recognition of this by our community," writes Butler, who also vows to continue his work on open source security, though at a reduced capacity. "Due to my unusual circumstances, the focus of my activities will shift to more professional work and less pure research... I'll do what I can as the situation allows."

Butler also railed against Hiverworld, which withdrew its employment offer after learning of his indictment. "[T]he corporation expressed cowardice that is deplorable. I can't tell you how disappointed I was to feel the complete lack of support from the Hive," wrote Butler.

Hiverworld's Cruickshank says the company had no choice. "We're a security start up that does intrusion detection and vulnerability scanning, so having a person on staff who is under suspicion for major hacking incidents is probably not the best idea in the world," says Cruickshank.

"As a security company," Cruickshank adds, "it's really important for us to have white hats on board."

    Digg this story   Add to del.icio.us  
Comments Mode:
Ethical Wrongdoers? 2000-05-02
Anonymous (1 replies)
Ethical Wrongdoers? 2000-05-04


Privacy Statement
Copyright 2010, SecurityFocus