Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Courts Government The Internet Security News

Hacker Sentenced To Longest US Sentence Yet 775

Iphtashu Fitz writes "The Associated Press is reporting that a Michigan man has been sentenced to 9 years in prison for his involvement in hacking into the corporate systems of Lowe's Home Improvement and attempting to steal customer credit card information. The sentence far exceeds the 5 1/2 years that hacker Kevin Mitnick spent behind bars. Two others are awaiting sentencing, including one of the first people to ever be convicted of wardriving. Prosecutors said the three men tapped into the wireless network of a Lowe's store in Southfield, Mich., used that connection to enter the chain's central computer system in North Wilkesboro, N.C., and installed a program to capture credit card information. No data was actually collected however."
This discussion has been archived. No new comments can be posted.

Hacker Sentenced To Longest US Sentence Yet

Comments Filter:
  • by lunarscape ( 704562 ) on Wednesday December 15, 2004 @08:31PM (#11099281)
    That's the longest sententence indeed.
  • Good (Score:5, Insightful)

    by Anonymous Coward on Wednesday December 15, 2004 @08:32PM (#11099284)
    They were criminals. These were crackers, not hackers. You don't install credit card number capturing software on someone's retail network unless you're up to no good.
    • Re:Good (Score:3, Informative)

      by msmercenary ( 837876 )
      Three down, thousands of skript kiddies to go.
    • Re:Good (Score:3, Interesting)

      by rainman_bc ( 735332 )
      Yeah, America already has the highest per-capita incarceration rates in the world.

      Really, is the policy working?
      • Re:Good (Score:3, Insightful)

        by TopShelf ( 92521 )
        And how many of these are crackers like this guy? What's your point, exactly?
      • Re:Good (Score:3, Interesting)

        by mizhi ( 186984 )
        When you talk about high incarceration rates in the US, most people agree that the main culprit is the US' assinine drug laws. Please tell me how this relates to credit card theft?

        On a somewhat related note, why is it that so few /.ers are getting their knickers in a twist over the blatant invasion of privacy and potential theft of billions these assholes tried to pull off? If this had been some ad-company surreptitiously grabbing personal information (not even CC information), /.ers would be going banan
    • (not) Good (Score:2, Insightful)

      They were not being "nice" but they weren't hurting anyone (at least not yet). The real problem I have is Lowes was putting credit card data on a wireless network! It wasn't secure enough, as someone knew about it, and successfully exploited it.

      So what's worse:
      Not nice (Hackers),
      or _grossly_ irresponsible (Lowes)?
      • bull (Score:5, Insightful)

        by Errtu76 ( 776778 ) on Thursday December 16, 2004 @07:17AM (#11102662) Journal
        They were not being "nice" but they weren't hurting anyone (at least not yet).

        'Yet' ... So we have to wait until they (ab)use credit cards before they should be stopped?

        The real problem I have is Lowes was putting credit card data on a wireless network!

        I agree this is pretty dumb, but it's still no reason for it to get cracked. Think about this: you have an expensive house and several heavy locks on your door. One day you forget to lock them. Does this justify every burglar that walks up to your house, opens the door, enters your house and sets up camera's? Okay, they didn't steal anything (yet), but it's really your fault. Yeah right. They knew exactly what they were doing, and the fact that the security wasn't good enough is *no* reason whatsoever to justify this crime.
  • Don't worry. (Score:5, Insightful)

    by Anonymous Coward on Wednesday December 15, 2004 @08:33PM (#11099295)
    Thanks to our parole system which considers rape, murder, and anything else that isn't drug sales to be harmless to society, he'll be out in just four or six.
  • Three Ring Circus! (Score:3, Insightful)

    by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Wednesday December 15, 2004 @08:34PM (#11099304) Homepage Journal
    For reference, a typical sentence for breaking and entering with intent to steal is about two to four years...

    But, hey. It looks better when they catch a guy "breaking" into a computer across the internet then when they catch someone actually breaking into a house. Best to throw the biggest book in the area at them to play the circus up some.
    • To qoute the article...

      "I think the massive amount of potential loss that these defendants could have imposed was astounding, so that's what caused us to seek a substantial sentence against Mr. Salcedo," federal prosecutor Matthew Martens said.

      Thousands of compromised accounts would have lead to quite the theft rings... this is a little bit more serious than simply breaking in.
      • by ScrewMaster ( 602015 ) on Wednesday December 15, 2004 @08:52PM (#11099483)
        True, but the point is valid: had they physically broken into a store and walked off with a bunch of credit-card receipts, would they have received a similar sentence? Or is this just being blown out of proportion because it involves "the Internet"? On top of that, they actually managed to steal nothing ... as the prosecutor said, it was the amount of damage they could have imposed that resulted in the "substantial sentence", not what they actually did. So, in other words, these guys are having a larger book thrown at them than they probably deserve simply because the government would like to make an example of them. Is that a good thing? Perhaps ... but it does indicate that the punishment may not be fitting the crime any too well. That is wrong in and of itself, but has always been the pattern of law enforcement regarding white-collar computer crimes. I suppose that there is a genuine desire to create a deterrent effect (ineffectual as it has been), but there is often an equally genuine ignorance of technological issues by law enforcement.
        • by Lumpy ( 12016 )
          On top of that, they actually managed to steal nothing ... as the prosecutor said, it was the amount of damage they could have imposed that resulted in the "substantial sentence", not what they actually did.

          sweet this set's a pattern up for lawyers to use.

          "your honor, when we pulled him over he had a rifle in his trunk, he had the potential of not only shooting several hundred people, but the car he was driving could have been used for mass murder also... instead of a $50.00 running a stop sign fine, I s
      • You took a quote from the prosecuter - a guy with a vested interest in slamming people and playing it up so he looks better - as evidence defending the sentence? While there's no technical problem with that, the level of bias is so extreme that I find it hard to believe anyone in their right mind would take it as a reasonable amount of evidence.

        I also find it hard to believe they'd have been slapped with that sentence had they stolen the tape backups instead of used a network.
    • Although it isn't very clear from TA, I imagine that the majority of the 9 year sentence was simply for attempted credit card fraud. Cracking was just the method, not the main crime.
  • by Anonymous Coward on Wednesday December 15, 2004 @08:34PM (#11099309)
    They should lock up the fool that set their network up!
  • by Anonymous Coward on Wednesday December 15, 2004 @08:35PM (#11099311)
    The an admin who sets up an unsecure wireless network should be convicted for stupidity.
    • by krbvroc1 ( 725200 ) on Wednesday December 15, 2004 @09:08PM (#11099632)
      [] an admin who sets up an unsecure wireless network should be convicted for stupidity.

      Interesting concept... So lets say someone leaves there front door unlocked, should they go to jail if someone breaks in? Perhaps the front door is locked, but the dog door is unlocked? What if the the windows don't have bars on them?

      What bugs me is that the guy illegally accessed the computer but was not successfull in retreiving credit card information. Is such a long term warranted? What about the Corporate crime bosses who bilk millions or billions from people via fraud - they never get this level of sentence.
      • So lets say someone leaves there front door unlocked, should they go to jail if someone breaks in? Perhaps the front door is locked, but the dog door is unlocked? What if the the windows don't have bars on them?

        If that person's windows and doors were broadcasting the contents of the home on public frequencies, maybe.

        LK
      • by theLOUDroom ( 556455 ) on Thursday December 16, 2004 @03:05PM (#11108468)
        Interesting concept... So lets say someone leaves there front door unlocked, should they go to jail if someone breaks in? Perhaps the front door is locked, but the dog door is unlocked? What if the the windows don't have bars on them?

        Actually, it's more like leaving all you furniture out by the curb for someone to walk off with at will. You're broadcasting its presence to the rest of the world and you have no reasonable expectation of privacy.

        Wireless signals are accessible by EVERYBODY. They are not constrained by the notion of "private property" like your house is.

        The most fitting analogy I can come up with is leaving a breifcase full of credit card information sitting on a park bench DELIBERATELY.

        Yes, using that information for nefarious purposes is illegal, but leaving it laying around somewhere with no reasonable expectation of privacy is negligent. One might even consider it criminally negligent. If you were in the UK, it sounds like their privacy laws would agree with you.

        What about the Corporate crime bosses who bilk millions or billions from people via fraud - they never get this level of sentence.

        In our society, some people are more "equal" than others. It's fucked up but it's a given when you let someone have 1E9 dollars to themself. The only way it's ever going to get fixed is if we realize that capitalism != democracy, and adjust or society accordingly.
  • Wardriving... (Score:5, Insightful)

    by sH4RD ( 749216 ) on Wednesday December 15, 2004 @08:35PM (#11099318) Homepage
    Wardrivers like that give the wardriving community a bad name. Some wardrivers just want to find free and legal hotspots, and others (although they could have good intentions) just want a free net connection. Wardriving as a cheap way to access corporate networks is just bad taste...
  • by BlueCodeWarrior ( 638065 ) <steevk@gmail.com> on Wednesday December 15, 2004 @08:35PM (#11099321) Homepage
    including one of the first people to ever be convicted of wardriving.

    Can you be really convicted of wardriving, or just something you do illegally while you're wardriving?

    According to the wikipedia article in the blurb:
    Although acessing the files on an open network is illegal, it is not illegal to simply use the internet connection of an open wireless network, this is a common misunderstood concept. Most wardrivers do not in fact use services without authorization.

    Seems kind of like saying, "He was convicted for using the Internet" when someone gets convicted of cracking.

    Another thing...so you can use the connection, but you can't use any files? What's the justification for that? If you leave the network open and allow it to be used and you leave files open on it, how can it be illegal to use them?
  • by oldosadmin ( 759103 ) on Wednesday December 15, 2004 @08:36PM (#11099330) Homepage
    Since when is wardriving illegal?
    • As I said in my post above: [slashdot.org]
      From wikipedia:

      Although acessing the files on an open network is illegal, it is not illegal to simply use the internet connection of an open wireless network, this is a common misunderstood concept. Most wardrivers do not in fact use services without authorization.
    • Since when is wardriving illegal?

      Since wardriving was accessing other people's privately-owned networks, with a reasonable expectation of privacy (most people won't try to wardrive for a connection when they don't have their own), possibly for the purpose of accessing other computers on the network behind the firewall.

      About the public/private thing: driveways, a large lawn/garden, private parks in housing communities, private roads and parking lots, etc. are still private property on which you can be con
  • by The Illegal Pirates ( 840709 ) on Wednesday December 15, 2004 @08:37PM (#11099337)
    Dear Sir or Madam:

    We, the Illegal Pirates of the Internet Who Must Steal Everything No Matter What, rue the travesty that has lead to the sentencing of our compatriots. We remain dedicated to the theft and infringement of all intellectual property at all costs, including but not limited to financial records and credit card numbers. Rest assured, we will continue our relentless campaign to thieve.

    Signed,

    The Illegal Pirates of the Internet Who Must Steal Everything No Matter What

    p.s. clock!

  • by An Ominous Cow Erred ( 28892 ) on Wednesday December 15, 2004 @08:37PM (#11099340)
    While I think sentences (including this one) in the United States are excessive, and I think prison in fact fails to solve anything because it is used as a punishment rather than a rehabilitation and in fact makes people worse rather than better, I sort of rankle at this person being compared to Kevin Mitnick.

    Kevin had no interest in any sort of financial gain from his activities. He was only interested in exploring and seeing what he could find. He was an annoying guy, but not one with ill intention.

    I don't know the details about these individuals, but it seems to be implied that it was a moneymaking operation. That makes it far worse than anything Kevin did.

    That said, prison isn't the answer. Only violent people should go to prison (and those prisons should be run such that they don't create the atmosphere for violence inside that they do today -- i.e. don't use the prisoners as an unwritten "punishment" against eachother -- punishment is counterproductive.)
    • by Yaa 101 ( 664725 ) on Wednesday December 15, 2004 @08:47PM (#11099437) Journal
      If you live in a country where revenge prevails then prison is the answer.
    • Well they did get 9 years and kevin got 5 (and kevin got out in like 3 didn't he?) so intenet was considered in the case obviously.

      Yes punishments are harsh in the US and there's a good reason for this For one, people like vengence. Oh boy do they like vengence. For another, throwing tougher and tougher laws on the books doesn't piss anybody off. Won't you think of the CHILDREN? 3 strikes your out laws, etc, etc all appeal to about 70% of the population - namely the middle class and the rich (those who vot
    • Prisons were originally designed to stop people from committing crimes, commonly they would only lock people up at night so they couln't break into peoples houses or shops. Only in the last couple of centuries with the advent of the idea of reforming people come in, prison sentences got much much longer and the idea of reforming people in the early days was though harsh treatment and work.

      The harsh treatment and work didn't have the desired results, but we carried on locking people up not because of there
  • by upsidedown_duck ( 788782 ) on Wednesday December 15, 2004 @08:39PM (#11099351)

    I bet he isn't looking forward to having his security hole exploited while in prison!

  • by koreaman ( 835838 ) <uman@umanwizard.com> on Wednesday December 15, 2004 @08:39PM (#11099360)
    Let me make a few preemptive arguments before the inevitable "Free Kevin"-esque posts start coming by the hundreds.

    This guy is a criminal. He robbed people, or attempted to rob them. This is like robbing a bank, only worse. Nobody should show any sympathy for this guy. In fact, for the identity theft and fraud he commited, nine years is much too short of a sentence.

    I know that a lot of the people who read this may tend to sympathize with him. This is the nature of /.ers. For proof, look no further than the topic which this is posted under.

    That's right, "Your Rights Online." Some editors or submitters apparently think that we have the online right to attempt to steal the property of other people, which if you think about for a minute is absurd.
    The reason a lot of /.ers want to sympathize with this guy is the fact that a lot of them are (good) hackers. No matter how dirty his actions were, they don't want to see a fellow hacker put in prison.

    But please, think before you post inane things about how our legal system is evil and corrupt. This is good. Thank God for the law.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Wednesday December 15, 2004 @08:52PM (#11099484)
      Comment removed based on user account deletion
    • Well, <pendant> robbery [reference.com] involves violence, or the threat of violence. </pendant>

      I'd say that it's not just like robbing a bank, only worse.

      That doesn't mean I think the sentence is unfair.

    • He robbed people, or attempted to rob them. This is like robbing a bank, only worse.

      No, it's not. Theft and robbery are different animals. These guys never held a gun to someone's head, never threatened anyone. They are more akin to cat burglers than "robbers".

      Nine years is longer than a manslaughter conviction. Longer than most murder convictions. Longer than rape convictions. What kind of fucking idiot are you to value some large corporation's potential bottom line (since they actually stole noth
  • Plea agreement (Score:3, Interesting)

    by sekicho ( 570184 ) on Wednesday December 15, 2004 @08:42PM (#11099392) Homepage
    Security Focus [securityfocus.com]:
    Even reduced, Salcedo's prison term is unusually harsh for a computer crime. The sentence is based largely on a stipulation in Salcedo's plea agreement with prosecutors that the losses in the abortive caper would have exceeded $2.5 million. "The damage that Mr. Salcedo could have caused the consumers if he was successful could have been astounding," says prosecutor Martens.


    Salcedo's defense attorney, Samuel Winthrop, did not return phone calls.
    If I were that attorney, I wouldn't be returning phone calls, either.
  • As the global economy relies more and more on computers to conduct comerce, I for one am glad that computer crimes are being treated quite seriously. Just because it is a computer, and just because there was no physical harm to someone, doesn't mean that the crime is not a damaging crime. And with the concerns running about for identity theft, the sentence seems appropriate. It should go out for a warning: if you want to hack others computers, then you should set up your own LAN and only hack computers that
    • As the global economy relies more and more on computers to conduct comerce, I for one am glad that computer crimes are being treated quite seriously.

      Well, if only "people" decided to take network admin security anywhere near as seriously we'd be in good shape, no? Running a major e-commerce chain over unsecured wireless. wtf.

      (By the way, there have been something like 4 cybersecurity czars over the past 5 years in the US... they keep stepping down 'cause no one takes them seriously.)

      Just because it i
  • by spagetti_code ( 773137 ) on Wednesday December 15, 2004 @08:44PM (#11099407)
    A bit of common sense here - 9 *years* for hacking. That is higher than the average federal sentence for murder http://www.law.upenn.edu/fac/phrobins/OxfordDeterr enceAppendix.pdf [upenn.edu] although lower than the average state one.
    • That is an unfortunate consequence of the justice department giving out plea bargains to everyone for the sole purpose of getting the trials over quicker.
    • by mdfst13 ( 664665 ) on Thursday December 16, 2004 @03:00AM (#11101811)
      "That is higher than the average federal sentence for murder"

      No, it is higher than the average federal sentence for "non-negligent" manslaughter and murder cases combined (btw, murder is a capital crime in federal court...as how many years does the death penalty count?). Manslaughter is not murder, that's why it carries a lower sentence. Further, murder and manslaughter carry lower recidivism (repeat) rates than do property crimes.

      People have this odd idea that incarceration is to deter people from committing crimes. It is not. The primary purpose of incarceration is to *prevent* people from committing crimes. Deterrence value of any punishment is weak, because it is not sure. Most criminals expect to get away with their crimes.
    • Just goes to show how unjust the law really is. Under a just system of law, how could any deliberate murder recieve anything less than a life sentence?
  • by Manip ( 656104 ) on Wednesday December 15, 2004 @08:45PM (#11099411)
    I'm sorry, but does anyone else find this silly? You can get a longer sentence for hacking than you can for a rape!
    And they didn't even get any credit card information..

    I mean if they broke in and took down the entire corp. network or put the company into administration then yeah sure, harsh it up...
    But where is the justification for a 9year sentence?

    Also, if you trespassed (into the office) and tried to steal a book of credit card information and let's add criminal damage (broken window) you would not get near five years let alone 9!
  • ...other white collar crimes will not be prosecuted as they won't recieve much media attention to propagate to young eager script kiddies the scary consequences of making network adminstrators look bad.
  • quick (Score:2, Funny)

    by pyrrho ( 167252 )
    let's protect them!

  • How many years did the guys at Enron etc.... get?
    Seems like you get of if you you cough up government payola.
  • Cracker != Hacker (Score:3, Insightful)

    by ObsessiveMathsFreak ( 773371 ) <obsessivemathsfr ... om.net minus bsd> on Wednesday December 15, 2004 @08:55PM (#11099506) Homepage Journal
    This guys was not a hacker. He was a cracker. A criminal hacker. I'm sick of this public misconception. Whenever I talk about software to non tech people and I mention hackers, and the good work they do, people automatically assume I'm talking about some uber geek, crypto cyber punk, virus writing, terrorist whos out to gain control of as many nukes as he can before he downloads copious amounts of porn into their bank accounts.

    Seriously, where the hell did this misconception arise from? It's tempting to blame hollywood, but it's more likely to have been some self proclaimed "landmark" NY Times article written by some clueless reporter who knew next to nothing about computer or the net in general outside of what some equally misinformed 133t script kiddies spluttered out to him when he asked them on IRC( The devils internet dungeon!!).

    This misnomer of hackers used in the media at large has got to be tackled somehow. Otherwise other FUD might creep in, and pretty soon FOSS apps might be classed as warez by another bumbling journalist looking to rise ranks by jumping for the businees pages to the spanking new IT suppliment section by writing the next domesday tech article, complete with teenage (cr/h)acker masterminds.
  • I'll bet that Ken Lay of Enron, who stole billions of dollars from millions of CA residents won't do half that time.

    Stealing CC numbers is a bad thing and needs to be punished but let's face it, in the US we have a criminal injustice system that favors rich, white people who steal large amounts of money and have access to lots of lawyers. Everyone else gets caught up in the great meat grinder of "justice".

    Check out: frontline: the plea [pbs.org]

  • Do you think the crackers will also be prohibited from using the Internet for a certain period of time after their release, sort of like what happened to Mitnick?
  • by G4from128k ( 686170 ) on Wednesday December 15, 2004 @09:05PM (#11099601)
    Some may argue that the punishment does not fit the crime, that it is much more severe then other forms of monetary crime. But what makes cracker crime so dangerous to the IT industry is that it attacks the trustworthiness of the infrastructure. If consumers turn away from online transactions, if businesses decide to reduce their reliance on computers, then IT employment will drop or not increase to its full potential.

    Look at the analog of this in meat-space -- people would rather shop, go to work, enjoy entertainment, etc. in a safe environment. Businesses that try to operate in crime-ridden neighborhoods don't do as well, don't have as many customers, don't hire as many employees, and don't pay as well.

    IT employment depends on the continued adoption and use of IT by businesses and consumers. If the internet and computing becomes a ghetto of spyware, crackers, and phishers, the economics of IT will suffer. To the extent that people avoid using computers for fear of crime is the extent that ITer will see their jobs disappear.
    • LOL, ok, so if we don't do something about all this internet craziness, we'll end up doing, err... what is that?

      The internet IS a ghetto of spyware, crackers and phishers. Nobody is going back to carbon copy credit card swipes, human tellers in banks and grocery checkouts where the clerk codes in prices into his mechanical cash register.

      How does this particular crime, even if it had payed off, going to put a dent in computer use? It might piss some people off at Lowes, result in a lot of charge backs and
  • Deserves what he got (Score:5, Informative)

    by paanta ( 640245 ) on Wednesday December 15, 2004 @09:18PM (#11099698) Homepage
    Not mentioned yet, but he _is_ a repeat offender. He brought down a local bbs--insert obligatory plug for arbornet.org!--back in 2000 and was the first charged with hacking under michigan law. http://www.merit.edu/mail.archives/netsec/2000-09/ msg00009.html I dunno, but you'd think he'd have wised up by now.
  • What is sad here (Score:4, Insightful)

    by randall_burns ( 108052 ) <randall_burns@@@hotmail...com> on Wednesday December 15, 2004 @09:37PM (#11099842)
    Is how stiff this penalty is compared to that of serious corporate criminals that are already wealthy. I've seen some of this stuff up close(I worked on the audit of Riscorp, the CEO of which did prison time). There seems to be a lot of hysteria around hackers-and very little around the REALLY big criminals-who are the managers of major corporations and governmental organizations.
  • by crovira ( 10242 ) on Wednesday December 15, 2004 @09:42PM (#11099879) Homepage
    I'm calling myself a white hat code wizard.

    The 'popular perception' of the whole hacker (code geeks)/cracker (crypto geeks) myth is a kind of hopelessly unwinnable argument about angels on pins.

    Considering the alternatives, I've just invented a new name for myself and left the waste of time up to those poor souls who care.

    I've just given the hell up.
  • by metalligoth ( 672285 ) <metalligoth.gmail@com> on Wednesday December 15, 2004 @09:53PM (#11099995)

    My business partner learned hacking and coding from this guy when the guy was legit.

    What he did I think any of us on Slashdot could do. It doesn't require a great deal of skill or 31337N355.

    This is in the "Your Rights Online" section because he should be treated the same as someone who thirty years ago stole file cabinets of data about people at a large chain's headquarters. If the data is the same then there is no need for changing the sentence.

    That said, the young man did wrong and will get what he deserves. He was a little bit bright and could surely have come up with a better scheme than this. I know I could, but I and his former "student" are devoting our time to a legit business. [s3mi.com]

    Please excuse the shameless plug. We may be legit, but we're certainly not wealthy. Starting a company is hard work. 60+ hour workweeks, paying yourself less than minimum wage for a year or more... No wonder Mr. Salcedo chose the "easy way out".

  • by howardjp ( 5458 ) on Wednesday December 15, 2004 @10:05PM (#11100093) Homepage
    Salcedo was arrested in the last month of a 36-month probation sentence after he broke into Arbornet [arbornet.org] and many other sites in 2000. The original Slashdot story is here [slashdot.org].
  • Unjust Punishment (Score:4, Insightful)

    by Maul ( 83993 ) on Wednesday December 15, 2004 @11:11PM (#11100542) Journal
    This "hacker" never actually stole CC data, but still got nine years.

    If Ken Lay is even given jail time, I doubt that he'll be doing 9 years. He'll probably get 1 year max at the place with the golf course and squash court.

    I think much of the complaint is not how much time the hacker is getting, but how little time other people who take part in similar crimes but without the "hacking" element.
  • by Anonymous Coward on Wednesday December 15, 2004 @11:29PM (#11100661)
    Who gets their news from a mickey mouse outfit like ABC anyway? If you're going to post some clueless banter about attempted credit card fraud, at least link to an article (or thread) with some relevant information about the case instead of an uninformed soundbite. You could start with one of the following:

    http://reviews-zdnet.com.com/AnchorDesk/4520-7297_ 16-5511088.html [com.com]

    http://www.theregister.co.uk/2003/11/22/michigan_w ifi_hackers_try/ [theregister.co.uk]

    http://www.securityfocus.com/news/7438 [securityfocus.com]

    http://www.securityfocus.com/news/8835 [securityfocus.com]

    http://www.netstumbler.org/showthread.php?t=11115 [netstumbler.org]

    Some of the more interesting quotes for those too lazy to click on the links:

    "In 2000, as a juvenile, Salcedo was one of the first to be charged under Michigan's state computer crime law, for allegedly hacking a local ISP."

    "It was six months later - Botbyl allegedly admitted to agents - that Botbyl and his friend Salcedo hatched a plan to use the network to steal credit card numbers from the hardware chain"

    "At some point in their wardriving experience, Timmins and Botbyl came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen of Security Focus that what he did next was technically illegal: he used the Lowe's network to check his e-mail. When he realized it was Lowe's private network, however, he says, he disconnected."

    "That in itself might have been the end of the story. However, Lowe's became aware of the breach and contacted the FBI, who, after its investigation, charged Timmins with one count of unauthorized computer access. And that by itself would have been a significant story: Timmins's plea has been reported as the first instance of a wardriving conviction. I think the claim is an exaggeration, however. The charge would have been the same had he used a wired connection."

    "But here's where the story gets interesting. Several months later, Botbyl returned to the Southfield, Michigan, Lowe's with a new friend, Brian Salcedo, now 21. Salcedo, it turned out, was in the final weeks of a three-year probation for an earlier computer crime."

    "According to the indictment, the hackers used the wireless network to route through Lowe's corporate data center in North Carolina and connect to the local networks at stores around the country. At two of the stores - in Long Beach, California and Gainseville, Florida - they modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later."

    "Brian Salcedo, 21, faces an a unusually harsh 12 to 15 year prison term under federal sentencing guidelines, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 million."

    "As for how it was computed here's one probable way: Maximum number of cards in the system at the time they could have captured, multiplied times the maximum credit limit on each. (So say Lowe's does an average of 2500 credit cards transactions nationally in a night, and each has a $1000 Credit Limit. That is $2,500,000 right there.)"

    "They were not able to access nationwide credit card files or get into corporate systems," says Lowe's spokesperson Gina Balaya. "They did access six credit card transactions from one store."

    "My initial reaction when I heard the charges was one of skepticism," says Karl Mozurkewich, founder of the Michigan software company Utropicmedia, and a member of the group. "Eighty percent of the people in the 2600 group in Michigan are more the c
  • by naoursla ( 99850 ) on Wednesday December 15, 2004 @11:52PM (#11100806) Homepage Journal
    Don't shop at Lowes. They keep their credit card information on a computer accessible from an insecure wireless access point.
  • by Feanturi ( 99866 ) on Thursday December 16, 2004 @01:13AM (#11101311)
    This is the digital age, and people are finding out more and more, how empowering it can be to know a few things. This is not the world of 20 years ago, and the fact as some have pointed out, that what he did was fairly easy to accomplish for many people here, should be a warning bell. So by giving a harsh sentence they may hope to stem the tide of people figuring they can finally get that big heist scheme to work.

    I had a ridiculous conversation at a drinking party once, years ago. This guy I knew was blearily insisting that I needed to 'hack' a bank, because he was sure I could do it. I didn't know about that, I'm just a regular geek, scanning x.25 networks for outdials isn't the same as breaking into a bank. He was insisting it would definitely work. We could have it all planned out see, and, "Oh you could totally do it man, we should so do that!" I kept insisting that it was incredibly dangerous, and that I didn't know how ("Oh you can figure it out man, I know you can!"), and he just wasn't having any of my protests. Stealing, or for that matter almost anything that risks jail time, doesn't appeal to me anyway. Now imagine someone with his attitude and also the knowledge to follow buddy from the article. This sort of idea can become more widespread as technology reaches everyone, and is a scary thought for those with things to lose from it. People such as, well, any random person alive, could be you, could be me, could wreck a lot of lives.
  • by Billly Gates ( 198444 ) on Thursday December 16, 2004 @01:38AM (#11101437) Journal
    Lets get the real crooks who cost corporate America more money and are an irritation to society!

    seriously malware programs are trojan horses and its cracking pure and simple. Many install themelves via buffer overflows in javascript just like a real worm. Many install keyboard loggers and backdoors just like a real worm. ALso many slow down computers just like real worms. So if it looks like a duck, quacks like a duck, then what is it?

    They are the true crooks here.

  • More information (Score:4, Informative)

    by Kizzle ( 555439 ) on Thursday December 16, 2004 @04:52AM (#11102208)
    This episode of the phreaking internet radio show Default Radio [defaultradio.com] covers this when it first started several months ago. The co-host on this episode knew these people so it makes for a good insider's point of view.

    Default Radio episode 23 part 1 [pig-monkey.com]
    Fast forward to 22:30
  • I knew the third guy (Score:3, Interesting)

    by JimTheta ( 115513 ) on Thursday December 16, 2004 @11:26AM (#11105247) Homepage

    The 3rd guy, Adam Botbyl, used to live on the street behind mine. He's a couple years younger than me; my little brother knew him better than I did. (This article names him) [securityfocus.com]

    This was probably 10 years ago (him and my brother would have been in 5th or 6th grade), but one interesting bit of trivia is that he was the butt of jokes by the other kids. A bunch of the neighbor kids were into collecting basketball cards. Some of the crueler ones would put common cards back into the pack and glue the top together, and they'd sell or trade them to Adam.

    As I heard about this through my brother, it was portrayed that Adam was hella gullible. One pack had a card from the wrong brand in it (e.g. a Topps card in an Upper Deck pack); the other kids told him that it must be some error and might be more valuable. Whether the kid actually believed it or just went along to avert more bullshit is a question for him.

    Stories like this were pretty common, and I wonder what that does to a kid, having no good friends around.

    Now, I'm not saying that's an excuse; he's a total stupidass for what he did.

  • by Darth_brooks ( 180756 ) <clipper377@g[ ]l.com ['mai' in gap]> on Thursday December 16, 2004 @12:27PM (#11106064) Homepage
    The defendant was already on probation. He was busted in 2000 for cracking passwords on arbornet.org. He was 17 at the time, and one of the terms of his probation was to stay off the internet.

    http://www.mlive.com/news/aanews/index.ssf?/base/n ews-11/1103213452260230.xml [mlive.com]

    (limited personal information cookie-filling-out required)

    Boo hoo. He voilated the terms of his cake-walk probabtion. Have fun in prison.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...