Shadowcrew was an awesome place. You could get pretty much anything there. The marketplace was built on reputation -- you'd send a new offering to the senior members, who'd review you.
The coolest guy there was MacGyver. He knew everything about everything. You'd ask for feedback on the new SSN cards you were selling and he'd casually drop that the SSA used band printers back when your card would have been issued, so there should be little marks here or there.
From what I could tell, he never profited from any activity there, but being a senior member and receiving goods for review, receiving credit card blanks and numbers was enough to put him away. By the time it occurred to me I could send him a letter in prison, he was already out.
Sure, he was indirectly contributing to illegal activity, but to a kid looking for fake ID info, he was a god.
This article is long, but really good, it reads like a movie.
Gonzalez not only hacked computer networks, but also personal networks. He may not have been great at code, but he was definitely good at navigating social structures. Gonzalez was certainly a great hacker, but not necessarily good.
I'll be keeping my eye out for author James Verini in the future, this was a great read.
Not to mention keeping an eye out for the movie. It would be awesome, and perhaps the commercial success of The Social Network will make it more likely.
It seems odd to me that both 'can barely write simple code' and 'it is hard, if not impossible...[for Gonzalez] to conceptualize human growth, development and evolution, other than in the language of building a machine' are applied to the same person.
It seems that Gonzalez is not actually a talented cracker at all — he just found relationships with people that did. In that way, he's more of a standard crime lord than a hacker (using the NYT's definition of hacker).
To put it in mundane terms he's just more a sysadmin type than a programmer. Sometimes I think it's easy for programmers to have a bias against sysadmins because they aren't "creating", but the fact is that the scope of systems a typical sysadmin deals with is far greater than any programmer will ever program. Being able to grasp the scope of things and how they are working at both a high and low level is a special skill, and one that seems particularly applicable to the kind of hacks described in this article.
The wardriving and SQL injection, that's kid stuff, right? But what do you do once you're inside the system? That's where he seemed to shine.
The fact that he wasn't a great coder I think is more reflective of the fact that he didn't spend a lot of time writing code, but I don't think it reflects on his computer skills in general.
"He started to trust us...I was well aware that I was dealing with a master of social engineering and deception. But I never got the impression he was trying to deceive us."
It was interesting to hear the government's side of the story. Yet again I'm convinced that the most proficient computer security experts are way outside the government. Gonzalez doesn't seem exceptionally competent. I mean the only reason he got caught was because he used a bunch of cloned debit cards in front of a cop. Yet for several years he managed to inform for the Secret Service and keep his crimes hidden.
I'm not sure the Secret Service realizes what message they're sending to criminals. Sure they punished Gonzalez for his betrayal, but they basically advertised, "If you become an informant, you risk getting a much much worse sentence."
> but they basically advertised, "If you become an informant, you risk getting a much much worse sentence."
Uh, you mean if you not only continue your crime, but escalate it to unprecedented levels after agreeing to be an informant? I think that pretty much goes without saying.
Gonzalez's actions as an informant still reduced the total amount of credit card fraud. If he hadn't informed, his associates would have committed more crime and the Secret Service probably wouldn't have caught as many of them as quickly as they did.
Assuming the Secret Service's goal is to reduce fraud, they should prefer informants who commit crimes to no informants at all.
Almost certainly. ShadowCrew was much bigger than just one person. The Secret Service claims 4,000 members, but the real number was probably several hundred. Without the help of a well-established member (Gonzalez was actually a founder), it would have been much harder for the government to crack this fraud ring.
Okay, so let's assume that's true, despite the fact that it's an extremely dubious claim considering the magnitude of the operations Gonzalez was running. Even then, your original claim was "what kind of message does a stiff sentence send", but then you come back with this as if it's better to send a message that the secret service are a bunch of suckers who you can play til the end and still get off hook. Crime wouldn't be down for very long with that kind of message, and don't even get me started about the consequences of congress hearing that message.
Depends what you're talking about. He's described in the article by his peers as "barely [able to] write simple code", but the US attorney who prosecuted described him as the type who knows how to manage talent around him (which seems obvious given how he leveraged friendships to accomplish some very high-level stuff.
"They pulled James’s police records and found that in 2005 he was arrested by a Palmetto Bay, Fla., police officer who found him in the parking lot of a retail store in the middle of the night. The officer didn’t know why James and his companion, a man named Christopher Scott, were sitting in a car with laptops and a giant radio antenna, but she suspected they weren’t playing World of Warcraft."
wow, what an awesome read. I referenced the TJX hacks in a ton of customer presentations to sell Cisco's security suite, but never knew what happened behind the scenes. On one hand, he caused $400M in damages to his direct victims, but made a fortune for IT software/security companies by instilling FUD in enterprises across the globe.
Man, I hate hearing about someone so gifted throwing their life away. Can you imagine if he had gotten interested in stopping the spam epidemic? That would have been awesome.
Or "Private Browsing" if I'm using Firefox instead of Chrome? Having noscript installed didn't help. I still got the login page. Does private browsing hide the referrer URL?
Interesting that the guy was apparently not a good coder:
"He is not a gifted programmer — according to Watt and Toey, in fact, he can barely write simple code — but by all accounts he can understand systems and fillet them with singular grace."
I used to be a developer at Target a few years ago. This incident really made them realize how important security was. Things changed (though I can still think of a few holes) it's a lot LOT more tighter.
The coolest guy there was MacGyver. He knew everything about everything. You'd ask for feedback on the new SSN cards you were selling and he'd casually drop that the SSA used band printers back when your card would have been issued, so there should be little marks here or there.
From what I could tell, he never profited from any activity there, but being a senior member and receiving goods for review, receiving credit card blanks and numbers was enough to put him away. By the time it occurred to me I could send him a letter in prison, he was already out.
Sure, he was indirectly contributing to illegal activity, but to a kid looking for fake ID info, he was a god.