Kingpin: How One Hacker Took Over the Digital Underground at SXSW

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground is the story of a morally ambiguous protagonist who was never, not for one second, morally ambiguous in his own mind. The story of a man who stole tens of millions of dollars, giving not one flying fuck for the swag such riches could have brought, nor for an ever-increasing subtotal that would have brought tears to the eyes of a typical Midas. An intensely competitive man who nonetheless refused to participate in the default competition, the race of the rats. A man of volatile mood and odd habits, diagnosed as bipolar, who saw himself as the one sane person in a deranged world.

In other words, it’s the story of a hacker.

It’s the story of a hacker who did to the black market for credit cards roughly what Genghis Khan did to Eurasia. Gordon Gekko would have worshipped him. In a single James Bond-worthy masterstroke, Max Vision wiped out every major carding market on Earth, then recreated them in one site under his complete control. If the visuals didn’t consist largely of one guy in a darkened room typing furiously, it would be perfect for Hollywood.

But Kingpin is more than just another long-form hack story: It’s the story of a hacker told by a hacker. In this book Kevin Poulsen, recovering hacker and for many years senior editor at Wired, recounts the events leading up to the final (so far) capture of the hacker known to his parents as Max Butler, to the courts as Max Rad Vision, and to carders around the world and, not incidentally, the FBI, as Iceman, Ghost23, Generous, Digits, Aphex, and the Whiz.

I picked it up because hackers told me to. They were not wrong. It’s probably the best book about a hacker that’s ever been written.

YET (publishers, call my agent).

Kingpin excerpt via Wired

It’s both a caper thriller and a slice-of-life biography, and it’s enlightened throughout by Poulsen’s complete command of the subject matter. The world does not need yet another book about hackers written by someone who does not understand what it is they actually DO, nor how they think and feel. Poulsen understands on a code level, perhaps even a cellular level, what it is they actually do, and who it is they actually are, and has the colourful resume to prove it.

Better still, he excels at explaining what it is they do in simple English. Most writers, when confronted with explaining SQL injection or buffer overflows resort to metaphor. Poulsen makes such technical matter completely clear in the span of a couple of paragraphs. Witness:

SQL injection vulnerabilities are the Web’s most persistent weakness. SQL injection has to do with the behind-the-scenes architecture of most sophisticated websites. When you visit a website with dynamic content—news articles, blog posts, stock quotes, virtual shopping carts—the site’s software is pulling the content in raw form from a back-end database, usually running on a completely different computer than the host to which you’ve connected. The website is a facade—the database server is the important part, and it’s locked down. Ideally, it won’t even be accessible from the Internet.

The website’s software speaks to the database server in a standard syntax called Structured Query Language, or SQL (pronounced “sequel”). The SQL command SELECT, for example, asks the database server for all the information that fits a specified criteria. INSERT puts new information in the database. The rarely used DROP instruction will mass-delete data. It’s a potentially perilous arrangement, because there are any number of situations where the software has to send a visitor’s input as part of an SQL command—in a search query, for example. If a visitor to a music site enters “Sinatra” in the search box, the website’s software will ask the database to look for matches.

SELECT titles FROM music_catalog
WHERE artist = ‘Sinatra’;

An SQL injection vulnerability occurs when the software doesn’t properly sanitize the user’s input before including it in a database command. Punctuation is the real killer. If a user in the above scenario searches on “Sinatra’; DROP music_catalog;” it’s tremendously important that the apostrophe and semicolons not make it through. Otherwise, the database server sees this.

SELECT * FROM music_catalog
WHERE artist = ‘Sinatra’; DROP music_catalog;’;

As far as the database is concerned, that’s two commands in succession, separated by a semicolon. The first command finds Frank Sinatra albums, the second one “drops” the music catalog, destroying it. SQL injection is a standard weapon in every hacker’s arsenal.

Seriously, if you still have questions about SQL injections after that, consult Wikipedia, not me. I’ll just give you another goddam metaphor.

Most of the book focuses more on the interplay between characters and personas than the technical workings of software, thank God. In this reality, there are people and there are personas, and it’s important to keep track of who really IS who, who is pretending to be how many different people and who they are, and the relationships not simply between the personas of different people, or between different actual people, but between the different personas of a single person. Vision himself blows his own cover in an IRC chat, later confessing to a forum administrator that he outed himself by accident so he might as well come clean.

Of course, the administrator was talking to Iceman about Digits, not aware of nor concerned with Max Vision, the man behind the curtain, at all. The “meat cart” is essentially irrelevant in the world of hackers unless it needs stimulants or is at risk of being v& (raided and hauled off to the pokey). It lives to serve the brain, which is what creates the personas and calls the shots.

Predictably, because brains are not perfect  and books must have dénouements, Max Vision was indeed v&, and is now serving thirteen years; he’s due out, assuming time off for good behavior and time served prior to sentencing, in 2018, whereupon he is somehow expected to pay $27.5 million in restitution, and good luck with that.

At the time it was the longest sentence ever handed to a hacker in the US, and it was based on the cost to the banks of reissuing over one million credit cards. The actual money taken, $86.4 million, was not, apparently, a factor in sentencing, although it’s doubtful it really costs credit card companies $27.50 to replace a single card. If they’d used the larger number, he could have faced thirty to life, and almost a hundred million dollars in restitution. And that’s just the criminal case: lawsuits are a whole ‘nother matter, as OJ Simpson found out.

If only there was a place you could get fast, easy money…

Categories: Banks, Black Hat, Books, Carders, Credit Cards, Crime, Cyberpunk, Fraud, Hackers, Journalists, Kevin Poulsen, Max Vision, Media, Money, SQL Injection