
A Ukrainian Hacker Who Became the FBI’s Best Weapon and Worst Nightmare - subpar
https://www.wired.com/2016/05/maksym-igor-popov-fbi/
======
GigabyteCoin
Great story. It's not often I find myself reading through to the end.

>Hilbert arranged for the FBI to rent Popov an apartment near the beach and
pay him a $1,000-a-month stipend to continue working on Ant City.

Talk about cheap! They offered him ~$3,000/mo compensation for work that was
saving the US potentially hundreds of millions of dollars per year in
fraudulent credit card charges?

>One victim was the Boston-based multinational EMC, where intruders had stolen
the source code for the company’s ubiquitous virtualization software, VMware.
If the code got out, hackers everywhere could plumb it for security holes.
VMware’s purpose is to allow a single server to house multiple virtual
computers, each walled off from the others. So in the worst-case scenario, a
hacker might find a way to “escape” from a virtual machine and seize control
of the underlying system.

And this just screams of the need for more open source projects.

~~~
cm3
If VMware's security relies on it being closed source, then all bets are off.
This is bad journalism.

~~~
qb45
I think that doing security audits only when your source code leaks (not even
when somebody _threatens_ to leak it) is bad software development, not bad
journalism.

~~~
cm3
It's bad development style, but it's also bad journalism to say the blueprints
are out, now VMware is at risk. VMware is so widely used in critical
situations that it's more than likely that many skilled infosec devs have
tried their teeth at finding attack vectors. Sure, they may have an easier way
to find some faults now, but like Windows, it's a piece of software that's in
constant exploit hunt mode.

~~~
qb45
Well, they pretty much described what actually happened, which is that VMware
wasn't all that confident about their security and panicked when the source
appeared.

While I too would like the article to poke some fun at VMware's attitude ;) I
have to say I really didn't find it particularly offensive as it stands.

I understand the dislike for presenting closed source as "security", but in
this case it seems to have been uninformed copy-paste from VMware's
statements, not the author's agenda. I guess we can only expect so much from
journalists who don't hang out at HN. Hopefully this whole myth will die
natural death as open source OSs are becoming mainstream, especially on
servers where security counts.

~~~
cm3
I guess the wording got me.

------
miles
Don't miss Hilbert's response to the Wired article:

Rogue FBI Agent Vindicated?

[https://www.linkedin.com/pulse/rogue-fbi-agent-vindicated-
er...](https://www.linkedin.com/pulse/rogue-fbi-agent-vindicated-ernest-e-j-
hilbert)

~~~
hkmurakami
>The FBI did not screw me. The DOJ/OIG and the Boston based AUSA did.

This being Steve Heyman?

Edit: AUSA must mean "Assistant US Attorney"

~~~
kragen
Heymann was the one that bullied AaronSw to death, right?

~~~
hkmurakami
correct (mentioned in the wired article as well)

------
drops
I looked up the hacker's full name in russian - Maxim Igorevich Popov - and
found a ukrainian news article dated as back as 2001, the year when this all
started. So technically the Wired's article wasn't the first public mention of
the incident, but the first big and full story.

Here's the old article itself: [http://fakty.ua/96374-grazhdaninu-ukrainy-
kotorogo-fbr-obvin...](http://fakty.ua/96374-grazhdaninu-ukrainy-kotorogo-fbr-
obvinyaet-vo-vzlome-kompyuternoj-sistemy-banka-quot-vestern-yunion-quot-
grozyat-20-let-tyurmy-i-polmilliona-dollarov-shtrafa) It's in Russian and has
some interesting stuff, like details from Popov's mom and dad (!), and it
mostly covers the events that led to Popov's imprisonment. The article is
quite long, but some stuff like Popov's background and stuff that's missing
from Wired's article

>Popov studied English and German languages in Kyiv National Linguistic
University

>He was already married by the time the shit went down

>His parents didn't know he was a proficient hacker, they thought he was just
a regular user

------
trhway
>One thing Popov had always known about Eastern European hackers: All they
really wanted was a job.

how true. Making money/living using your [technical] brain. There were only
limited possibility for it in Russia until mid-199x, and it only gradually
became reality to the end of that decade. As far as i understand, Ukraine it
took at least 10 years more.

~~~
ChemicalWarfare
I worked for a couple of companies who outsourced some heavy lifting low-level
dev tasks to Ukrainian-based teams.

Hands down the best experience dealing with outsourced devs ever. Very strong
technically, delivering on time with the highest quality I've ever seen from
outsourced teams. Communication-wise always eager to jump on a Skype or Google
Hangout call to talk sh*t over instead of emailing into the void and waiting
for answers for days.

~~~
mercer
That's very interesting. Can you contrast that with other experiences? Or
maybe elaborate more on how this worked? Potential pitfalls?

I'm running an Amsterdam-based company that currently is fully focused on
helping local twenty-somethings get going as programmers, because even here in
Holland it can be slim pickings for smart, driven people.

But long-term I'm more interested in working with people who often have it
even worse, just because of geography, which seems arbitrary and unfair to me.
My eyes are currently on the Southern nations - Greece, Albania, Spain, etc.,
but mostly because it's generally less of a headache what with the EU and my
personal knowledge of some of their cultures. Ultimately I don't really care
who I work with, I just want to channel some of the money we have here to
people who don't have it.

~~~
ChemicalWarfare
Sure. One company I worked with was actually US-based with PMs and high level
architects scattered all over the Midwest and the actual dev team in Ukraine.
They were very up front about it from the get go and once they realized we
don't beat around the bush too much once the SOW was signed they started
inviting the dev team to our status meetings and offered that we get hold of
the devs directly if we would like to when needed. Which was awesome since
most of the outsourced shops I've dealt with in the past would only have us
deal with the PM and a couple of high-level SAs. And then if you do manage to
get hold of their tech team they won't be overly responsive and typically
you'd need 3 or 4 of the devs to get a complete picture of what's going on or
to solve the issue you're having.

Another company was based in Ukraine altogether with no US presence. Same deal
basically, little rougher English-wise but not too bad, their chief SA worked
in the States in the past so he would jump in to clarify things if need be.

Where those guys really shine is understanding things end-to-end no matter
what the role on the particular project entails. I'd be talking to a front-end
developer about some symptoms I'm seeing and he'd be troubleshooting down to
the wire basically - dumping proxy logs, generating wireshark captures etc
etc.

------
iamandoni
If you liked that, you should also read Kevin Poulsen's Kingpin. Absolutely
enticing story.

~~~
mercer
Could you tell me more about it? It's a book, right? I rather liked his
writing for Wired, but I've got a book list longer than my life to get
through...

------
skilled
Good read. Gives perspective of how the security scene has shifted from public
hacking, to the private sector. So much is going on behind the scenes, little
scoops like this are nice reminders.

------
alexroan
One of the most interesting reads I've found on HN in the last few days. Felt
like reading a crime thriller novel.

------
wrong_variable
Very Well Written,

How hard is it to program these types of systems ? Its sounds quite
technically challenging to build an automated system that can easily steal
information from Target etc.

~~~
unexistance
technically, once you know the exact command / syntax, just code, compile &
wrap nicely for easy usage...

Just a typical programming / scripting routine

------
TY
Another fantastic piece from Kevin Poulsen. I really enjoyed his book
"Kingpin" and this article continues the tradition.

If anyone wonders, how an editor at Wired manages to get all the technical
details right, this Wikipedia article will help [1].

TLDR: Kevin is a former black hat hacker - caught, sentenced, served time who
has since become a great journalist and author.

[1]
[https://en.wikipedia.org/wiki/Kevin_Poulsen](https://en.wikipedia.org/wiki/Kevin_Poulsen)

~~~
mercer
Poulsen is one of the few journalist's names I recognize, and while I'm not
entirely positive about Wired, I've liked what he's written for them.

------
Tycho
Where can I read more about this Eastern European hacking scene? A few months
ago I listened to a talk by the CEO of Palantir who mentioned that in the
Paypal days they unsuccessfully hired PhDs in a battle against the scammers,
saying "it turns out you can't outsmart the Russan mob, they're very
technical." (the solution was to hire lots of lower skill people and give them
some tools to fight the battle)

------
maibaum
This is the most painful longform reading experience I've ever had on a
computer. I am 'reading' this from a 15" MBPR at 1440x900 - default
resolution.

First page load (default zoom), a single paragraph takes up the entire window.
[http://i.imgur.com/7gElCv9.png](http://i.imgur.com/7gElCv9.png)

Next, I try 'zooming out' twice, aka cmd-. Turns out the text doesnt reflow to
fit the window, it just shrinks. This is what it looks like.
[http://i.imgur.com/hr98Ryi.png](http://i.imgur.com/hr98Ryi.png)

As a last effort, I switched on Reader View in Safari and it only displayed
the first three paragraphs of the article.

Sigh. I like Wired, and mobile is important - but not this important.

~~~
mercer
Without any particular opinion on the reading experience, I've been wondering
about something. Why is it that quite a few pages that I use Safari's
(otherwise excellent) Reader View on don't display the full article? Is it
intentional? Some flawed parsing on Safari's part?

In most cases adding the article to my instapaper list solves the issue, but
even there I occasionally find missing content, in particular on wikipedia
pages. Which is odd, because I'd expect Instapaper to find some way to handle
those well.

------
kaosjester
Good thing this article names a bunch of people who wanted all of this history
about them anonymous.

------
reality_hacker
"Maksym Igor Popov" name sounds so fake.

~~~
paganel
It comes from a 7th century Christian Orthodox monk and theologian called
Maximus the Confessor who has a good reputation among Christian Orthodox
faithful.
[https://en.wikipedia.org/wiki/Maximus_the_Confessor](https://en.wikipedia.org/wiki/Maximus_the_Confessor)

~~~
vsss
What a bs. Russians/Ukrainians do not have second names.

~~~
ausvisaissues
Usually when Russians write their name, they write:

Given Name + Patronymic Name + Surname

Given name: Vladimir

Patronymic name: Alexandrovich (son of Alexandr)

Surname: Putin

The patronymic name and surname changes between male and female.

What is not clear is why Igor is not written as Igorevich.

Perhaps a Russian/Ukrainian user can weight in?

~~~
gonzoua
It may be the name he provided as his legal name when applying for
visa/permit. Patronymic name is foreign concept for US/Canadian legal system
so for immigration purposes it is treated as middle name AFAIK and quite
liberally at that.

Canadian immigration service, for one, just cuts patronymic name if total
length of first + patronymic + last names exceeds certain limit (my guess -
the limi tis length of the field in some form/database). So "Igorevich"
becomes "Igore" or "Igorev" depending on you first/last names lengths. US may
have more flexible rules and lets you provide your version of middle name or
drop it altogether.

I wouldn't attach too much importance to this detail

~~~
vsss
There are no patronymics in Russian passports at least, not sure about
Ukrainian. But even if they are, it would be Igorevich 100%. And it's always
written on American visas as in national passport.

------
altonzheng
I thought I was on a mobile page because of the lack of side bars and other
distractions. Nice job wired!

~~~
PeCaN
It even works with JavaScript disabled... what is this sorcery?

------
hauget
Great story... but the amount of resources that webpage consumes is f-ing
RIDICULOUS.

~~~
digi_owl
Thats what we get when we apply the app mentality to the web...

