
A Virginia hacker catches the attention of federal law enforcement - Sami_Lehtinen
http://www.washingtonpost.com/local/crime/a-virginia-hacker-catches-the-attention-of-federal-law-enforcement/2014/09/27/51251eee-1405-11e4-9285-4243a40ddc97_story.html
======
fphhotchips
This guy is an idiot. Maybe he's very good technically, but this isn't even
good policework. This is straight out of the troll method of questioning [1].

[1] "Detritus was particularly good when it came to asking questions. He had
three basic ones. They were the direct (“Did you do it?”), the persistent
(“Are you sure it wasn’t you that done it?”), and the subtle (“It was you what
done it, wasn’t it?”). " \-- Terry Pratchett, Feet of Clay

~~~
arh68
Amateurs all around. Obviously the DHS can't trust him: who hacks gift cards
at night then rolls into work at _General Dynamics_? It's not like anyone else
can trust him, either: he's obviously dumb enough to be an informant (does he
_still_ not have a lawyer?), and he's likely not to shake that ever.

If anything, the story boils down to _22-year-old Mason grad loses his General
Dynamics job through mindless bragging & to-be-expected snitching_

~~~
Nanzikambe
> who hacks gift cards at night then rolls into work at General Dynamics?

A common theme in pretty much every case I've ever read about a busted
blackhat involves bragging in some ridiculous context. I'd believe this.

------
reitzensteinm
> [...] will randomly cause a digit to flip and a Web user will be sent to the
> wrong site — for instance, Micro2oft.com instead of Microsoft.com.

Disappointed, but not surprised, that the given example is incorrect -
Micro3oft.com would have fit.

[http://www3.amherst.edu/~jcook15/ascii-binary-
chart.gif](http://www3.amherst.edu/~jcook15/ascii-binary-chart.gif)

------
sgentle
I don't think "you're such a talented criminal, would you like a job?" coming
from a federal agent is terribly trustworthy. It was previously used to catch
the Half Life 2 hacker back in '04, although granted he basically did it to
himself.

At the very least, it would seem like a bad idea to sign something like that
without a lawyer, who I assume wasn't involved because, well, what lawyer
would say "yeah, go ahead and sign a confession in exchange for an informal
verbal job offer"?

------
muriithi
Don't Talk to Police
[https://www.youtube.com/watch?v=6wXkI4t7nuc](https://www.youtube.com/watch?v=6wXkI4t7nuc)

~~~
bluecalm
While probably good advice in US it's very sad of affairs it gets repeated.
It's not something we should have in civilized society. If people learn to
just refuse to talk in routine situations then both trust and ability to
investigate goes down a lot. It's also terrible advice in some other countries
where failure to cooperate and answer questions could be used against you.

~~~
rasz_pl
trust? what trust?

------
dopamean
I was an early 2000's script kid who got in a lot of hot water over my
actions. Then three years later, right before I was to go off to college, two
FBI agent showed up at my house to offer me a job. They went about it in an
extremely sketchy way that made me very uncomfortable. I said no and called a
lawyer.

The big thing I learned from that whole situation is that you should say as
little as possible to law enforcement without a lawyer present.

~~~
walshemj
A recruitment pitch to work for the FBI or act as an agent for them?

~~~
dopamean
TBH it was 2003 and I'm a little light on the actual details. As I remember it
it was to work for the FBI but now that you mention it it is more likely that
I would have been acting as an agent.

------
numann
If Muneeb is charged, any attempts at recruiting hacking talent will be
hindered. This could make DHS look very bad if they push this forward.

------
fenomas
> There was one catch: Akhter said he was required to sign a statement saying
> he had created the hack and to show agents that he could actually do it.

It sounds more like DHS caught someone doing social engineering, hired him to
help them catch hackers, and this is what he came up with.

------
cyphunk
the majority of comments on this thread are off with there suspicions of foul
play on the "hackers" part.

the details from the article mostly add up. there is information missing that
could confirm this (review of skill-set showing competency in side channel
attacks, perhaps a followup on the DAPRA grant) but the general attack
described could be possible. also intelligence agencies looking for snitches
should be read as an agent fishing for a spy. A special type of spy with
technical skills. It might be that after hitting the first "go higher him and
bring him into our RED_or_Black team" later the agency got cold feet or
countered and as a result they could only offer him the more arms-length
freelance type of position where you work on blackbox projects while remaining
independent but also have the alternate task to feed information about the
community. This. Happens. This is the modus.

The only thing I do not get is when they were still looking to higher and put
him close rather than the arms-length position, why the "would have to move to
Seattle" requirement? And this sparks my attention because pre-snowden I knew
several security analysts in Redmond that doubled as consultants for Gov. I
wonder if Gov eventually just setup shop there?

~~~
rasz_pl
No recruitment pitch starts with 'please sign this sworn guilty plea'

~~~
adventured
This is the most important point of the whole article.

A recruitment pitch would start with: 'we will grant you life-long immunity
from prosecution regarding anything you have done in relation to these hacks'
\- for that would be the ultimate sales pitch, one the government would have
no problem using: work with us, or else

------
pauleastlund
The really baffling part is how he possibly thinks he could be helping himself
by giving this interview.

~~~
PhasmaFelis
IMHO, the _really_ baffling part is why the hell he thought bragging to his
coworkers was a great idea. Close friends I could maybe understand, but office
randos?

So many stupid smart people out there.

------
timsally
The job offer is a pretty obvious lie. Full government jobs don't pay
$150,000+ until you get to an extremely senior level [+] (private contractors
do pay that much, but DHS certainly can't extend job offers on behalf of a
private contractor). I think it says quite a bit about the ego and/or
ignorance of this person if they thought they were so special that they would
be offered this type of job...

[+]
[http://en.wikipedia.org/wiki/Senior_Executive_Service_(Unite...](http://en.wikipedia.org/wiki/Senior_Executive_Service_\(United_States\)#Pay_rates)

~~~
Nanzikambe
It's worth noting that it's likely that sub-contractors working for private-
sector firms (contracted to provide services to alphabet-agencies) earn this
much.

Snowden was apparently earning ~$200k at Dell then took a pay cut to ~$122k to
work at Booz-Allen. There's some controversy about his claims in that respect,
but I believe them -- they would have to pay competitively or else they'd be a
considerable disadvantage in the tech/infosec arms race.

Given who was at his door though, I agree: this wasn't a legit job offer.

------
ianstallings
It is highly unlikely they would consider anyone who breaks the law for a job.
DC doesn't work that way, typically. Trustworthiness is a more sought after
quality than any other. If you even have bad credit or smoked a joint in the
last year you won't be getting any secret clearances anytime soon, let alone
if you committed a major crime.

~~~
SoftwareMaven
It's a catch 22, though. People with hacking skills are, by their very nature,
sitting in the edges of legal territory. Sure, some stay completely white, but
is using the card to do test at Dunkin Donuts full-on black hat? Loading
friends cards is where he ultimately crossed the line, IMO (a part he says was
mis-transcribed).

~~~
phaus
Yes. Using the card to steal from Dunkin Doughnuts counts as black hat.

If he purchased a single cup of coffee 1 time, I'd have some sympathy for him,
but that's not what happened. Instead, he helped his friends steal hundreds if
not thousands of dollars in products and services.

------
downandout
Let there be no mistake about it: they were/are to build a case against him.
Simply telling your co-workers about a hack that you could have easily made up
to impress them isn't even enough evidence for a search warrant, let alone an
arrest. The fact that he played into the not-so-clever ruse that DHS used on
him so naively is a perfect example of the difference between intellectual and
real-world intelligence. Any 10 year old from a bad neighborhood would have
known not to say anything to the agents, yet he sat there, with his family
looking on, essentially saying "yes, please take away my future" with every
word he said and wrote.

On a side note...

 _> He also has dabbled with other “black hat” hacks, such as code that
allowed him to win Web auctions with low-ball bids._

This was mentioned in passing, but it would be interesting to find out what
technique he claims to have used to accomplish this.

~~~
eli
Sounds like run of the mill "bid sniping" software, designed to bid on an
auction at the last possible millisecond. (The thinking being that auctions
with existing bids attract other bids.)

~~~
downandout
You may be right - it didn't really include enough details to judge, but based
upon the nature of his other activities I was thinking his technique might
have been more intriguing. Who knows. When he is arrested maybe it will come
out in court documents.

------
Humjob
If the government ends up prosecuting him, it will be a massively idiotic move
on their part. It's already bad enough that they've withdrawn their job offer.
To use a war analogy, this situation is similar to your army shooting a
surrendering enemy at the end of a battle, thereby ensuring that no future
enemies will want to surrender and will instead fight to the death. You gain a
short run benefit at the expense of destroying your reputation.

Offering him a job under false pretenses and then prosecuting him creates a
big disincentive for any future hackers to a) talk to government officials who
approach under seemingly benevolent circumstances and b) even want to work for
the government at all if it pulls scummy moves like this.

------
Fjolsvith
Most likely DHS won't be able to use this guy as a federal informant now that
this article is out. Did he think that crying to the press would give him some
kind of immunity to prosecution?

------
steakejjs
This was almost certainly a social engineering hack (if it is true at all
which I don't believe it is). There is no trick to how a gift card works...

A token value is stored on the card which maps to a number in the backend,
where they keep state. The value on the card is static..

It also sounds like his motivations are criminal.. Otherwise he would have
stopped before stealing hundreds of dollars

~~~
scandinavian
Where I'm from it is possible by bruteforce with some providers. The cards are
purely recognized by a number, this number can be used to check the balance on
the card on their website. The numbers er not random, but in series, so all it
takes is a card writer and finding a number with an active card with money on
it.

~~~
steakejjs
I suppose it is possible. I just checked sheetz gift cards and the value you
enter online is 19digits and incremented. However in the past I examined
sheetz cards and the value on track2 of the mag strip was different than the
incremented 19digit card code. If a provider did use the same value, you could
increment, guess, and write

The problem is it's all on camera

------
eyeareque
I hope the DHS doesn't hire people who make mistakes and bad decisions as much
as this guys did.

------
jokoon
are there ISO standards for computer security ?

~~~
sarciszewski
ISO 27001

~~~
jokoon
does it certify programming practices ?

~~~
angersock
Surely you're joking--what does security have to do with programming
practices?

~~~
jokoon
sanitizing inputs, protocols... the list can be very long.

