Great story. It's not often I find myself reading through to the end.
>Hilbert arranged for the FBI to rent Popov an apartment near the beach and pay him a $1,000-a-month stipend to continue working on Ant City.
Talk about cheap! They offered him ~$3,000/mo compensation for work that was saving the US potentially hundreds of millions of dollars per year in fraudulent credit card charges?
>One victim was the Boston-based multinational EMC, where intruders had stolen the source code for the company’s ubiquitous virtualization software, VMware. If the code got out, hackers everywhere could plumb it for security holes. VMware’s purpose is to allow a single server to house multiple virtual computers, each walled off from the others. So in the worst-case scenario, a hacker might find a way to “escape” from a virtual machine and seize control of the underlying system.
And this just screams of the need for more open source projects.
I think that doing security audits only when your source code leaks (not even when somebody threatens to leak it) is bad software development, not bad journalism.
It's bad development style, but it's also bad journalism to say the blueprints are out, now VMware is at risk. VMware is so widely used in critical situations that it's more than likely that many skilled infosec devs have tried their teeth at finding attack vectors. Sure, they may have an easier way to find some faults now, but like Windows, it's a piece of software that's in constant exploit hunt mode.
Well, they pretty much described what actually happened, which is that VMware wasn't all that confident about their security and panicked when the source appeared.
While I too would like the article to poke some fun at VMware's attitude ;) I have to say I really didn't find it particularly offensive as it stands.
I understand the dislike for presenting closed source as "security", but in this case it seems to have been uninformed copy-paste from VMware's statements, not the author's agenda. I guess we can only expect so much from journalists who don't hang out at HN. Hopefully this whole myth will die natural death as open source OSs are becoming mainstream, especially on servers where security counts.
I looked up the hacker's full name in russian - Maxim Igorevich Popov - and found a ukrainian news article dated as back as 2001, the year when this all started. So technically the Wired's article wasn't the first public mention of the incident, but the first big and full story.
Here's the old article itself: http://fakty.ua/96374-grazhdaninu-ukrainy-kotorogo-fbr-obvin...
It's in Russian and has some interesting stuff, like details from Popov's mom and dad (!), and it mostly covers the events that led to Popov's imprisonment. The article is quite long, but some stuff like Popov's background and stuff that's missing from Wired's article
>Popov studied English and German languages in Kyiv National Linguistic University
>He was already married by the time the shit went down
>His parents didn't know he was a proficient hacker, they thought he was just a regular user
Interesting. Sounds like Poulsen's account lines up pretty closely; it's just missing information. The big piece Poulsen apparently got wrong was that Hilbert was always aware Popov was involved in the original FBI and EMC hacks.
Sounds like Hilbert was trying to juggle a lot of things at once. Protection of the FBI and their sources; justice for the companies being extorted; information on the people Popov was (half-)tricking; appropriate action against Popov for his ongoing crimes. All balanced against his personal relationship with Popov and gratitude for his help.
He was always trying to do the right thing, but the only way to do the right thing for a particular point in time meant delaying justice for other issues.
The article does, unfortunately, show that you can never fully trust people who have made a living off of theft, fraud, or other forms of deceit. Even if they promise to help you, even if they promise to change, even if they genuinely befriend you. When you're born into that lifestyle and spend your early years in it, it's really hard to get out.
>One thing Popov had always known about Eastern European hackers: All they really wanted was a job.
how true. Making money/living using your [technical] brain. There were only limited possibility for it in Russia until mid-199x, and it only gradually became reality to the end of that decade. As far as i understand, Ukraine it took at least 10 years more.
I worked for a couple of companies who outsourced some heavy lifting low-level dev tasks to Ukrainian-based teams.
Hands down the best experience dealing with outsourced devs ever. Very strong technically, delivering on time with the highest quality I've ever seen from outsourced teams. Communication-wise always eager to jump on a Skype or Google Hangout call to talk sh*t over instead of emailing into the void and waiting for answers for days.
That's very interesting. Can you contrast that with other experiences? Or maybe elaborate more on how this worked? Potential pitfalls?
I'm running an Amsterdam-based company that currently is fully focused on helping local twenty-somethings get going as programmers, because even here in Holland it can be slim pickings for smart, driven people.
But long-term I'm more interested in working with people who often have it even worse, just because of geography, which seems arbitrary and unfair to me. My eyes are currently on the Southern nations - Greece, Albania, Spain, etc., but mostly because it's generally less of a headache what with the EU and my personal knowledge of some of their cultures. Ultimately I don't really care who I work with, I just want to channel some of the money we have here to people who don't have it.
Sure.
One company I worked with was actually US-based with PMs and high level architects scattered all over the Midwest and the actual dev team in Ukraine. They were very up front about it from the get go and once they realized we don't beat around the bush too much once the SOW was signed they started inviting the dev team to our status meetings and offered that we get hold of the devs directly if we would like to when needed. Which was awesome since most of the outsourced shops I've dealt with in the past would only have us deal with the PM and a couple of high-level SAs. And then if you do manage to get hold of their tech team they won't be overly responsive and typically you'd need 3 or 4 of the devs to get a complete picture of what's going on or to solve the issue you're having.
Another company was based in Ukraine altogether with no US presence. Same deal basically, little rougher English-wise but not too bad, their chief SA worked in the States in the past so he would jump in to clarify things if need be.
Where those guys really shine is understanding things end-to-end no matter what the role on the particular project entails.
I'd be talking to a front-end developer about some symptoms I'm seeing and he'd be troubleshooting down to the wire basically - dumping proxy logs, generating wireshark captures etc etc.
It is worth noting that this is mostly no longer true, as the size of the "underground economy" (lol) has skyrocketed and the sums of money being discussed are far bigger. And contrary to what some may think, the risk reward ratio has certainly gone in the hackers favor.
The article mentions some hacker selling 8 million credit cards for $200000, nowadays it'd be at least 10 times that.
There simply does not exist many comparable "jobs" for those capable of pulling this off, where can you maintain such an income working couple of hours a day from a FS hotel in the Maldives?
Often better. You can rent a flat for about $300 in most of Eastern Europe now. Internet is crazy fast for its price, taxes are probably smaller than in the US.
In Ukraine they use Private Entrepreneur structure which basically means you pay like 5%.
So say for decent senior Java Dev you can get 60K/year after taxes.
Could you tell me more about it? It's a book, right? I rather liked his writing for Wired, but I've got a book list longer than my life to get through...
Good read. Gives perspective of how the security scene has shifted from public hacking, to the private sector. So much is going on behind the scenes, little scoops like this are nice reminders.
Where can I read more about this Eastern European hacking scene? A few months ago I listened to a talk by the CEO of Palantir who mentioned that in the Paypal days they unsuccessfully hired PhDs in a battle against the scammers, saying "it turns out you can't outsmart the Russan mob, they're very technical." (the solution was to hire lots of lower skill people and give them some tools to fight the battle)
This is the most painful longform reading experience I've ever had on a computer.
I am 'reading' this from a 15" MBPR at 1440x900 - default resolution.
Next, I try 'zooming out' twice, aka cmd-. Turns out the text doesnt reflow to fit the window, it just shrinks. This is what it looks like.
http://i.imgur.com/hr98Ryi.png
As a last effort, I switched on Reader View in Safari and it only displayed the first three paragraphs of the article.
Sigh. I like Wired, and mobile is important - but not this important.
Without any particular opinion on the reading experience, I've been wondering about something. Why is it that quite a few pages that I use Safari's (otherwise excellent) Reader View on don't display the full article? Is it intentional? Some flawed parsing on Safari's part?
In most cases adding the article to my instapaper list solves the issue, but even there I occasionally find missing content, in particular on wikipedia pages. Which is odd, because I'd expect Instapaper to find some way to handle those well.
It comes from a 7th century Christian Orthodox monk and theologian called Maximus the Confessor who has a good reputation among Christian Orthodox faithful. https://en.wikipedia.org/wiki/Maximus_the_Confessor
It may be the name he provided as his legal name when applying for visa/permit. Patronymic name is foreign concept for US/Canadian legal system so for immigration purposes it is treated as middle name AFAIK and quite liberally at that.
Canadian immigration service, for one, just cuts patronymic name if total length of first + patronymic + last names exceeds certain limit (my guess - the limi tis length of the field in some form/database). So "Igorevich" becomes "Igore" or "Igorev" depending on you first/last names lengths. US may have more flexible rules and lets you provide your version of middle name or drop it altogether.
I wouldn't attach too much importance to this detail
There are no patronymics in Russian passports at least, not sure about Ukrainian. But even if they are, it would be Igorevich 100%. And it's always written on American visas as in national passport.
Ironic it works nice on desktop because it's glitchy on mobile. Had to reload several times before the wired banner would dock at the top of the screen. It would just float dead center of the screen the first few times.
How hard is it to program these types of systems ? Its sounds quite technically challenging to build an automated system that can easily steal information from Target etc.
>Hilbert arranged for the FBI to rent Popov an apartment near the beach and pay him a $1,000-a-month stipend to continue working on Ant City.
Talk about cheap! They offered him ~$3,000/mo compensation for work that was saving the US potentially hundreds of millions of dollars per year in fraudulent credit card charges?
>One victim was the Boston-based multinational EMC, where intruders had stolen the source code for the company’s ubiquitous virtualization software, VMware. If the code got out, hackers everywhere could plumb it for security holes. VMware’s purpose is to allow a single server to house multiple virtual computers, each walled off from the others. So in the worst-case scenario, a hacker might find a way to “escape” from a virtual machine and seize control of the underlying system.
And this just screams of the need for more open source projects.