Whitehat hacker made FBI patsy
Sleep with dogs, wake with fleas....
American federal officials used threats and a false promise of leniency to lure computer security researcher and admitted cyber intruder Max Butler into becoming an undercover FBI informant, according to a defense motion filed in the case Tuesday.
It was only when Butler balked at covertly recording a friend and colleague, and instead sought advice from an attorney, that the government threw the book at him, the motion charges. "The government as much as promised him he would receive consideration," says defense attorney Jennifer Granick. "At least until he hired an attorney."
Butler, known as "Max Vision" to friends and associates, plead guilty last September to a single count of computer fraud, for penetrating a series of Defense Department computers in May of 1998. He's set for sentencing in San Jose, California on May 21st. Under federal sentencing guidelines, Butler faces 18 to 24 months in prison.
The case was unusual from the start. Butler is not a typical "Black Hat" hacker. A consultant who specializes in performing penetration tests on corporate networks, the 28-year-old is well regarded in computer security circles, and several members of the community wrote letters of support for Butler's sentencing hearing.
In particular, Butler is an expert on intrusion detection: the science of automatically analyzing Internet traffic for "signatures" indicative of an attack, and he created arachnids, a popular open source catalog of attack signatures that forms part of an overall public resource at WhiteHats.com.
In Tuesday's motion, Butler's defense lawyer Jennifer argues that the financial losses alleged in the case are inflated. The government claims Butler caused $60,000 in damage, based on the hours spent recovering from the attacks. The 18 to 24 month sentence calculation is based in part on those losses, and if the sentencing judge agrees the figure is unreliable, Butler will likely receive a reduced sentence.
Granick also argues that there are mitigating factors in the case that warrant a sentence below the guidelines, and for the first time offers some insight into Butler's motives in the 1998 cyber attacks.
In May, 1998, the Internet was reeling from a devastating vulnerability discovered in a ubiquitous piece of software called the BIND "named" domain server. Formally known as the iquery BIND Buffer Overflow vulnerability the hole been publicly announced by Carnegie Mellon's Computer Emergency Response Team (CERT) a month earlier, and a software patch to fix it was available for download. But according to an FBI affidavit, the hole was still in place on Air Force systems, nuclear laboratories, the U.S. Departments of Commerce, Transportation and the Interior, as well as the National Institute of Health.
Near the end of May, the hacker group ADM raised the stakes by publishing a computer program capable of spreading through vulnerable systems automatically. It was concern over the damage the worm could wreak on an unprepared Internet that spurred Butler to his fateful course. "Mr. Butler modified the worm program to download and install the official software patch that repaired the BIND/named vulnerability from the software vendors' web site," Granick's motion reads. "Mr. Butler used his modified worm to automatically get root access on machines through the named vulnerability and fix the named hole."
It could have been an unsullied act of mass guerilla patching -- a relatively harmless hack that would have left the Internet a little more secure, while dappling only a few spots of gray on Butler's white hat.
But Butler's worm also installed back doors on every system it patched, and reported their location back to Butler, giving him a way into the machines even as he locked out other hackers. That feature simultaneously made the crime harder to defend, and easier to solve.
"The Air Force was the first to realize what was going on; a lot of bases were being hit, a lot of flags were going up," says Eric Smith in an interview. Smith spearheaded the Butler investigation as an Air Force Office of Special Investigations (OSI) computer crime sleuth. Now a computer security and investigations specialist at Denver-based e-fense, he recalls the electronic trail leading from McChord Air Force Base to Butler's Northern California home was relatively straightforward.
But the reaction Smith received when he brought in the local FBI office was more puzzling. "As I was talking to them, I said the name [Butler] and they kind of hesitated. Then they said they'd call me back."
Enter the "Equalizer"
It turns out Butler was no stranger to the San Francisco FBI: The Bureau's cyber crime team had been tapping his expertise on a volunteer basis since 1996. "Max Butler is well known to the [agents] of the Computer Crime Squad," reads a 1998 affidavit by FBI agent Peter Trahon. "Butler has been a confidential source... for the FBI for approximately 2 years. He has provided useful and timely information on computer crimes in the past."
"They were definitely surprised," recalls Smith. "It was kind of a sensitive situation."
Court records don't reveal what kind of information Butler provided the FBI up to that point, but his lawyer characterizes it as "periodic intelligence reports" dealing with computer security vulnerabilities, software piracy techniques, and password cracking, all on a purely technical level.
The nature of Butler's contribution was about to change.
Armed with a search warrant, three FBI agents and OSI's Smith searched Butler's home on July 2nd, and found a penitent and contrite hacker, who immediately confessed to everything. "He wanted to help out," recalls Smith. "He wanted to do everything he could to try and make things right."
The FBI saw an opportunity. "They told him that in order to set things right and to make amends, he had to work off his mistake by assisting them with other investigations," Granick writes. "Mr. Butler told the agents he wanted to continue to help and agreed that he would work for them. "
"They were interested in doing more work with him," recalls Smith. "They thought he might have some more information on things that were going on."
The agents gave Butler the nickname "Equalizer," and immediately put him to work. Phone hackers had infiltrated 3Com's PBX, and were using the company phone system for free teleconferencing. Butler's first mission was "to familiarize himself with new telephone system intrusion tools and techniques and to be able to pose as a 'phone phreak' (telephone hacker) in the investigation," the motion reads.
"Mr. Butler, using his computer knowledge, and dropping the names of people the intruders knew from Internet Relay Chat (IRC), was able to lull the intruders into a sense of security. They then revealed, to Mr. Butler and through him to the FBI, the name of the hacking group that had committed the intrusion and the handle of the primary intruder," reads the motion. "During this monitored conversation, the suspects also discussed several instances of credit card fraud occurring over the network."
Butler went on to hold IRC conversations with the hackers, and provide the FBI with transcripts.
The agents were evidently pleased enough with Butler's work to give him another assignment, and near the end of July they summoned "Equalizer" to a meeting in the FBI offices high above San Francisco's Golden Gate Boulevard.
Ratting on DEFCON attendees
Butler's new mission: Attend the DEFCON hacker convention at the Plaza Hotel and Casino in Las Vegas -- the largest annual gathering of security experts, hackers and cybercops in the world. "There, he was to collect PGP encryption keys from conference attendees and try to match people's real names with their hacker identities and with the keys," reads the motion.
The motion doesn't reveal how much information Butler gathered at DEFCON 6.0 on behalf of the FBI, and in an interview, Granick said Butler doesn't recall what he reported back to the Bureau. On Granick's advice, Butler refuses interviews about his case.
After DEFCON, the FBI had another assignment for Butler. This time he was to wear a transmitting device - a 'wire' - and secretly record friend and colleague Matthew Harrigan, then CTO of San Francisco security services firm MCR, for which Butler had performed some consulting.
It was no secret that Harrigan had a bit of hacking in his past. In 1996, he even discussed his past life as the hacker "Digital Jesus" in the pages of Forbes magazine. He assured readers that he'd long ago taken to the straight and narrow.
But the FBI either wasn't convinced of Harrigan's reformed character, or believed that some of Digital Jesus' youthful adventures might fall within the five year statute of limitations. "The FBI was probably interested in me because I do associate with these people," says Harrigan. "Yes, I go to DEFCON. Yes, I hang out with them. Yes some of them are my friends. Did I participate in illicit activities? No. Absolutely not."
Harrigan was never charged with a crime. He believes the Bureau was on a fishing expedition, trying to conscript more hackers into unwilling servitude.
Instead, Butler's public service was drawing to a premature close. Apparently reluctant to become Linda Tripp, the hacker instead sought legal advice for the first time since his home was searched. He quietly made an appointment with defense attorney Granick, and, according to the defense motion, contacted the FBI agents to tell them "he would not be able to go along with the plan that day."
The FBI didn't like that.
"In the future, missed appointments without exceptional reasons will be considered uncooperative on your part," FBI agent Beeson wrote Butler in an email. "If you are not willing to cooperate then we HAVE to take the appropriate actions. [Agent] Pete [Trahon] is meeting with the prosecutor on YOUR case Monday. He wants to meet with you promptly in our office at 10:00am sharp, MONDAY 8/17/98."
That was to be the last email from the San Francisco FBI to their "Equalizer." Skeptical of the FBI's intentions, Granick phoned one of the agents to ask for the details of their arrangement with Butler. She got a cool response. Eventually, she reached Assistant U.S. Attorney Ross Nadel, who was overseeing the case. He was, according to the motion, somewhat blunter.
"At that time, defense counsel was told that the government was no longer interested in Mr. Butler's cooperation and that Mr. Butler could look forward to being indicted," Granick writes. "The only thing that had changed in the interim was that Mr. Butler had hired an attorney."
No credit for cooperation
"Presumably... they never had any intention of giving Mr. Butler any tangible benefit for his activities as a cooperating witness and believed that an attorney would advise Mr. Butler that under those circumstances, further cooperation was not in his best interest," the motion reads.
Neither the San Francisco FBI office, nor prosecutor Nadel, returned phone calls regarding the case.
Despite Butler's cooperation, in March 2000 the government threw the book at him. Butler was slammed with a fifteen count indictment charging him with interception of communications, computer intrusion and possession of stolen passwords. He was arrested, and, after a night in jail, released on signature bond.
Butler's guilty plea last September won him a standard "acceptance of responsibility" sentencing adjustment, but in Tuesday's motion, Granick argues that a further reduction in his sentence is called for because his work for the Bureau. She accuses the FBI of using and betraying the hacker.
"They tried to take advantage of his remorse and naïveté," says Granick in an interview. "They didn't cut him any slack... He didn't get any credit for his cooperation."
Granick says the Butler case offers a lesson to other would-be 'Equalizers'.
"If you're going to cooperate with the FBI, get an attorney to help you craft the terms of the deal," says Granick. "And get it in writing."
© 2001 SecurityFocus.com, all rights reserved.