Feeds

TJX mastermind chances his arm with deep cover infiltration appeal

A Scanner Darkly-style defense

Beginner's guide to SSL certificates

Albert Gonzalez, mastermind of the infamous TJ Maxx hack, has sought to get a judge to set aside his earlier guilty plea and conviction in the case by arguing he carried out the hack while working as a paid government informant.

Gonzalez, 29, who escaped jail time back in 2004 over his involvement in the sale of 1.5 million stolen credit and ATM card numbers while a member of the Shadowcrew group by ratting out his erstwhile partners in cybercrime, went on to bigger and better things. While supposedly working for the Secret Service, he acted as ringleader in a massive credit card theft and laundering operation involving an estimated 170 million credit cards between around July 2005 and his arrest in May 2008.

His crew took advantage of network insecurities (particularly weakly encrypted wireless networks in retail shops) to infiltrate systems and ultimately plant packet sniffers on the networked of TJ Maxx, Heartland Payment Systems and others. Extracted data was used to make cloned cards or sold through black market cybercrime forums. Proceeds of these crime were then laundered.

Gonzalez was jailed for 20 years in March 2010. Now, and only after unsuccessfully claiming he wasn't entirely responsible for his actions because he suffers from Asperger's Syndrome, Gonzalez contends he was only following his brief as an informant – acting on the inside to infiltrate cybercrime networks. The fact that, by his own earlier admissions, he was at the top of the pyramid he was supposedly infiltrating gets overlooked.

What isn't in dispute is that while getting paid at least $1,200 a month by his Secret Service handlers and helping to gather evidence of minor players in the cybercrime scene, Gonzalez was simultaneously running his Operation Get Rich or Die Tryin' cybercrime project.

"I still believe that I was acting on behalf of the United States Secret Service and that I was authorised and directed to engage in the conduct I committed as part of my assignment to gather intelligence and seek out international cybercriminals," Gonzalez said in a 25-page petition filed last month and republished by Wired here. "I now know and understand that I have been used as a scapegoat to cover someone's mistakes."

The petition provides a fascinating insight into the life of a cybercrime informant and cites example that would support the contention that Secret Service informants turned a blind eye to some low-level scams carried out by Gonzalez. For example, short of money, he used illegal means to find $5,000 in order to pay off a debt to a carder.

It's a much bigger stretch, however, to come away with the conclusion that the Secret Service had granted Gonzalez carte blanche to carry out the biggest cybercrime operation ever uncovered.

Gonzalez claims that Secret Service agents fluffed his ego to the extent that he got carried away and lost sight of the bigger picture.

"All of this inflated my ego and made me feel very important and made me feel like I was really a part of the Secret Service with the backing and support of the government agency. One day I was unknown and nothing and the next day I am being hailed as a genius and giving presentations to Secret Service agents in Washington, DC. All of this was mind-boggling for me."

But why are we only hearing about all this now, on a form of appeal, months after Gonzalez pleaded guilty (presumably when faced with overwhelming evidence) and was sent to jail? The convict claims he is only raising the issue now because he was not aware of the "public authority" defence.

Like many convicts, he blames his lawyer for an oversight that led to his imprisonment.

Gonzalez's former lawyer, Rene Palomino, told Wired that there was no basis for an argument that his former client acted with government approval, stating that there are no legal grounds for Gonzalez to withdraw his plea and get a trial. He also said the defence had looked closely at the question of whether evidence against Gonzalez obtained from the computer of carder Maksym "Maksik" Yastremskiy following his arrest and alleged torture in Turkey might be ruled as inadmissible. "We researched the issue regarding the evidence, and there were no grounds for suppression," Palomino told Wired. "Everything that was legally possible that could have been done for him was done for him. Nothing was left undone."

Gonzalez entered into a plea-bargaining agreement with his eyes wide open, his former lawyer argued. "He knew what he was getting into when he signed off on this agreement," Palomino concluded. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.