From White Hat to Black – The Curious Case of Cybercrime Kingpin Max Vision

Kevin Poulsen, former hacker and currently Senior Editor at Wired.com, gives a captivating talk at RSA Conference on the intricate story of the cyber criminal named Max Ray Vision (Max Butler) who ended up going from white hat to black hat.

Kevin Poulsen Thanks for coming, everybody. So, as you’ve heard, I’m a journalist, I’ve been at Wired for about 6 years, and before that I was at the securityfocus.com and I’ve done freelancing for magazines and the like. And if you go back far enough, I’m also a former black hat hacker, though the word didn’t really exist back then – it was a long time ago. I was into the phone company extensively, which means both I liked the phone company and I was into them, so I was into the switching systems and the ordering systems, and all the testing systems. And it started off as a purely recreational thing, an extension of the phone freaking – it began before I was born, and by the end I found a way to monetize it: I started using my access to phone company switches to cheat at radio station phone-in contests. By today’s standards of cyber crime it was kind of slim pickings, but I got like a Porsche and a bunch of trips to Hawaii, and some cash, in total like 70,000 dollars.

I got caught, should have mentioned that part, and I ended up serving about 5 years in jail, it was all pre-trial custody, I was ultimately sentenced to time served and released. When I got out, I was not allowed to use computers connected to the Internet for a time; I worked as a canvasser for a political organization and I started doing freelance writing, and that eventually turned into a journalism career because once you’re convicted felon, how can you possibly sink any lower than to become a reporter?

So I’ve covered over the years a huge number of hackers and hacker gangs, and law enforcement people that have tracked them, and I found the subject fascinating, not just because of my own past, but because of the way the cybercrime scene has evolved. And when it came time for me to write a book, it was about this particular hacker who I found particularly interesting because he kind of epitomized himself the transition that we have all seen over the last decade of hacking as being primarily recreational thing, the kids doing it in their bedrooms like Matthew Broderick in “WarGames”, to being a professional criminal enterprise.

The White Hat Hacker

Max Vision

Max Vision

And in Max’s case he kinda took the opposite course of what a lot of people did in the 90s, where he saw ex-hackers basically going legit, starting computer security companies, becoming penetration testers. He made his mark first in Silicon Valley as a white hat hacker. He kind of came out of nowhere in the late 1990s and burst out into full disclosure scene, started doing vulnerability analysis and looking at malware and the like. There he is (see photo).

The BIND attack geography

The BIND attack geography

If you’ve been around for a while, you might remember Max, he ran an open source database of intrusion detection signatures for Snort – it was called Arachnids; he contributed analysis and code to the Honeynet project; he wrote papers on viruses and worms, like the Ramen worm, if anyone remembers – that was really quaint. The problem is he also had kind of a mischievous streak, and in late 1998 he saw a CERT advisory about what was then a huge security vulnerability in the BIND name server software. So this software – it’s still pretty ubiquitous, back then it was everywhere, and it had a buffer overflow that you could use to basically take over the server with root capabilities remotely.

So the white hat part of Max was very concerned about this, because he believed nobody was going to patch it, which was not at the time an unreasonable thing to assume. He’d begun doing some consulting for the FBI, and he actually got on the phone and called the FBI agent he worked with at home to say: “Hey, this is a major vulnerability and I’ll tell you what: the militaries can be particularly vulnerable, because there is no way that they are going to be on top of this.” He felt like they didn’t take him seriously enough, so he decided to write a program that would scan IP ranges and look for this vulnerability, exploit the vulnerability, go in and patch it automatically. So he ran this and he targeted in particular government agencies and military IP ranges.

So this thing got everywhere, there was never a final count on how many systems were affected, but it was in the thousands, which, again, in the late 90s was a pretty big number, and he basically made a lot of air force bases and cabinet agencies, and these all sorts of government networks more secure in a way, because they’d had this vulnerability before, and now, after this code ran, they didn’t have this vulnerability. But here he had a little bit of black hat in him, and he couldn’t resist also installing a rootkit on all of these systems with a packet sniffer and a backdoor, and he could come in at any time. He actually had an email conversation with one of his victims who had discovered this activity; he sent him an email from the root account on this administrator’s own system and said:
– Hey, congratulations on spotting this, but I think you’re overreacting.
– Yes, I put backdoors on all these systems, but before – they could be hacked by anybody, now they can only be hacked by me, so I’ve made the Internet a safer place.

…He had a little bit of black hat in him, and he couldn’t resist also installing a rootkit on all of these systems…

Max was naive. So he thought that because he had good motives and because he was a nice guy that nobody would be terribly alarmed by this. He was doing it anonymously, of course, but he didn’t really cover his tracks so much. He had his rootkit program to report back to him every time it infected a system. At one point, when he got into the Navy’s IP range, he got so many pings from these cracked systems that his own computer crashed.

Max served his sentence at FCI Taft

Max served his sentence at FCI Taft

And it was very easy for them to track him down from that feedback mechanism. So they wind up knocking at his door, it was the same FBI agent that he’d been working with plus a guy from the air force who’s done the detective work, and he immediately started apologizing and he confessed to everything. They tried to turn him at that point into an informer, they wanted him to go to Defcon and start gathering information on Defcon attendees. He was kind of well-respected as a white hat at the time, he also had one foot in the black hat community, so they thought that he could gather information. Then they asked him to wear a wire on one of his friends, he refused – and they charged him. So he wound up going here, to the Federal Correction Institute in Taft in Central California in the middle of nowhere as you can see, for an 18-month stretch.

Read next: From White Hat to Black 2: The Robin Hood Hacker

Like This Article? Let Others Know!
Related Articles:


  1. mithlesh says:

    save all of u

  2. Andre says:

    Very interesting read indeed. Thanks for the share David!

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: