Whitehat hacker made FBI patsy
By: Kevin Poulsen
Posted: 09/05/2001 at 08:43 GMT
American federal officials used threats and a false promise of leniency to lure
computer security researcher and admitted cyber intruder Max Butler into
becoming an undercover FBI informant, according to a defense motion filed in
the case Tuesday.
It was only when Butler balked at covertly recording a friend and colleague,
and instead sought advice from an attorney, that the government threw the book
at him, the motion charges. "The government as much as promised him he would
receive consideration," says defense attorney Jennifer Granick. "At least until
he hired an attorney."
Butler, known as "Max Vision" to friends and associates, plead guilty last
September to a single count of computer fraud, for penetrating a series of
Defense Department computers in May of 1998. He's set for sentencing in San
Jose, California on May 21st. Under federal sentencing guidelines, Butler faces
18 to 24 months in prison.
The case was unusual from the start. Butler is not a typical "Black Hat"
hacker. A consultant who specializes in performing penetration tests on
corporate networks, the 28-year-old is well regarded in computer security
circles, and several members of the community wrote letters of support for
Butler's sentencing hearing.
In particular, Butler is an expert on intrusion detection: the science of
automatically analyzing Internet traffic for "signatures" indicative of an
attack, and he created arachnids, a popular open source catalog of attack
signatures that forms part of an overall public resource at WhiteHats.com.
In Tuesday's motion, Butler's defense lawyer Jennifer argues that the financial
losses alleged in the case are inflated. The government claims Butler caused
$60,000 in damage, based on the hours spent recovering from the attacks. The 18
to 24 month sentence calculation is based in part on those losses, and if the
sentencing judge agrees the figure is unreliable, Butler will likely receive a
reduced sentence.
Granick also argues that there are mitigating factors in the case that warrant
a sentence below the guidelines, and for the first time offers some insight
into Butler's motives in the 1998 cyber attacks.
BIND hole
In May, 1998, the Internet was reeling from a devastating vulnerability
discovered in a ubiquitous piece of software called the BIND "named" domain
server. Formally known as the iquery BIND Buffer Overflow vulnerability the
hole been publicly announced by Carnegie Mellon's Computer Emergency Response
Team (CERT) a month earlier, and a software patch to fix it was available for
download. But according to an FBI affidavit, the hole was still in place on Air
Force systems, nuclear laboratories, the U.S. Departments of Commerce,
Transportation and the Interior, as well as the National Institute of Health.
Near the end of May, the hacker group ADM raised the stakes by publishing a
computer program capable of spreading through vulnerable systems automatically.
It was concern over the damage the worm could wreak on an unprepared Internet
that spurred Butler to his fateful course. "Mr. Butler modified the worm
program to download and install the official software patch that repaired the
BIND/named vulnerability from the software vendors' web site," Granick's motion
reads. "Mr. Butler used his modified worm to automatically get root access on
machines through the named vulnerability and fix the named hole."
It could have been an unsullied act of mass guerilla patching -- a relatively
harmless hack that would have left the Internet a little more secure, while
dappling only a few spots of gray on Butler's white hat.
But Butler's worm also installed back doors on every system it patched, and
reported their location back to Butler, giving him a way into the machines even
as he locked out other hackers. That feature simultaneously made the crime
harder to defend, and easier to solve.
"The Air Force was the first to realize what was going on; a lot of bases were
being hit, a lot of flags were going up," says Eric Smith in an interview.
Smith spearheaded the Butler investigation as an Air Force Office of Special
Investigations (OSI) computer crime sleuth. Now a computer security and
investigations specialist at Denver-based e-fense, he recalls the electronic
trail leading from McChord Air Force Base to Butler's Northern California home
was relatively straightforward.
But the reaction Smith received when he brought in the local FBI office was
more puzzling. "As I was talking to them, I said the name [Butler] and they
kind of hesitated. Then they said they'd call me back."
Enter the "Equalizer"
It turns out Butler was no stranger to the San Francisco FBI: The Bureau's
cyber crime team had been tapping his expertise on a volunteer basis since
1996. "Max Butler is well known to the [agents] of the Computer Crime Squad,"
reads a 1998 affidavit by FBI agent Peter Trahon. "Butler has been a
confidential source... for the FBI for approximately 2 years. He has provided
useful and timely information on computer crimes in the past."
"They were definitely surprised," recalls Smith. "It was kind of a sensitive
situation."
Court records don't reveal what kind of information Butler provided the FBI up
to that point, but his lawyer characterizes it as "periodic intelligence
reports" dealing with computer security vulnerabilities, software piracy
techniques, and password cracking, all on a purely technical level.
The nature of Butler's contribution was about to change.
Armed with a search warrant, three FBI agents and OSI's Smith searched Butler's
home on July 2nd, and found a penitent and contrite hacker, who immediately
confessed to everything. "He wanted to help out," recalls Smith. "He wanted to
do everything he could to try and make things right."
The FBI saw an opportunity. "They told him that in order to set things right
and to make amends, he had to work off his mistake by assisting them with other
investigations," Granick writes. "Mr. Butler told the agents he wanted to
continue to help and agreed that he would work for them. "
"They were interested in doing more work with him," recalls Smith. "They
thought he might have some more information on things that were going on."
The agents gave Butler the nickname "Equalizer," and immediately put him to
work. Phone hackers had infiltrated 3Com's PBX, and were using the company
phone system for free teleconferencing. Butler's first mission was "to
familiarize himself with new telephone system intrusion tools and techniques
and to be able to pose as a 'phone phreak' (telephone hacker) in the
investigation," the motion reads.
"Mr. Butler, using his computer knowledge, and dropping the names of people the
intruders knew from Internet Relay Chat (IRC), was able to lull the intruders
into a sense of security. They then revealed, to Mr. Butler and through him to
the FBI, the name of the hacking group that had committed the intrusion and the
handle of the primary intruder," reads the motion. "During this monitored
conversation, the suspects also discussed several instances of credit card
fraud occurring over the network."
Butler went on to hold IRC conversations with the hackers, and provide the FBI
with transcripts.
The agents were evidently pleased enough with Butler's work to give him another
assignment, and near the end of July they summoned "Equalizer" to a meeting in
the FBI offices high above San Francisco's Golden Gate Boulevard.
Ratting on DEFCON attendees
Butler's new mission: Attend the DEFCON hacker convention at the Plaza Hotel
and Casino in Las Vegas -- the largest annual gathering of security experts,
hackers and cybercops in the world. "There, he was to collect PGP encryption
keys from conference attendees and try to match people's real names with their
hacker identities and with the keys," reads the motion.
The motion doesn't reveal how much information Butler gathered at DEFCON 6.0 on
behalf of the FBI, and in an interview, Granick said Butler doesn't recall what
he reported back to the Bureau. On Granick's advice, Butler refuses interviews
about his case.
After DEFCON, the FBI had another assignment for Butler. This time he was to
wear a transmitting device - a 'wire' - and secretly record friend and
colleague Matthew Harrigan, then CTO of San Francisco security services firm
MCR, for which Butler had performed some consulting.
It was no secret that Harrigan had a bit of hacking in his past. In 1996, he
even discussed his past life as the hacker "Digital Jesus" in the pages of
Forbes magazine. He assured readers that he'd long ago taken to the straight
and narrow.
But the FBI either wasn't convinced of Harrigan's reformed character, or
believed that some of Digital Jesus' youthful adventures might fall within the
five year statute of limitations. "The FBI was probably interested in me
because I do associate with these people," says Harrigan. "Yes, I go to DEFCON.
Yes, I hang out with them. Yes some of them are my friends. Did I participate
in illicit activities? No. Absolutely not."
Harrigan was never charged with a crime. He believes the Bureau was on a
fishing expedition, trying to conscript more hackers into unwilling servitude.
Instead, Butler's public service was drawing to a premature close. Apparently
reluctant to become Linda Tripp, the hacker instead sought legal advice for the
first time since his home was searched. He quietly made an appointment with
defense attorney Granick, and, according to the defense motion, contacted the
FBI agents to tell them "he would not be able to go along with the plan that
day."
The FBI didn't like that.
"In the future, missed appointments without exceptional reasons will be
considered uncooperative on your part," FBI agent Beeson wrote Butler in an
email. "If you are not willing to cooperate then we HAVE to take the
appropriate actions. [Agent] Pete [Trahon] is meeting with the prosecutor on
YOUR case Monday. He wants to meet with you promptly in our office at 10:00am
sharp, MONDAY 8/17/98."
That was to be the last email from the San Francisco FBI to their "Equalizer."
Skeptical of the FBI's intentions, Granick phoned one of the agents to ask for
the details of their arrangement with Butler. She got a cool response.
Eventually, she reached Assistant U.S. Attorney Ross Nadel, who was overseeing
the case. He was, according to the motion, somewhat blunter.
"At that time, defense counsel was told that the government was no longer
interested in Mr. Butler's cooperation and that Mr. Butler could look forward
to being indicted," Granick writes. "The only thing that had changed in the
interim was that Mr. Butler had hired an attorney."
No credit for cooperation
"Presumably... they never had any intention of giving Mr. Butler any tangible
benefit for his activities as a cooperating witness and believed that an
attorney would advise Mr. Butler that under those circumstances, further
cooperation was not in his best interest," the motion reads.
Neither the San Francisco FBI office, nor prosecutor Nadel, returned phone
calls regarding the case.
Despite Butler's cooperation, in March 2000 the government threw the book at
him. Butler was slammed with a fifteen count indictment charging him with
interception of communications, computer intrusion and possession of stolen
passwords. He was arrested, and, after a night in jail, released on signature
bond.
Butler's guilty plea last September won him a standard "acceptance of
responsibility" sentencing adjustment, but in Tuesday's motion, Granick argues
that a further reduction in his sentence is called for because his work for the
Bureau. She accuses the FBI of using and betraying the hacker.
"They tried to take advantage of his remorse and naoveti," says Granick in an
interview. "They didn't cut him any slack... He didn't get any credit for his
cooperation."
Granick says the Butler case offers a lesson to other would-be 'Equalizers'.
"If you're going to cooperate with the FBI, get an attorney to help you craft
the terms of the deal," says Granick. "And get it in writing."
) 2001 SecurityFocus.com, all rights reserved.
