Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen tells the story of Iceman (real name Max Butler), a computer geek turned hacker turned notorious cyber criminal who was eventually imprisoned in 2007. Kingpin charts Butler’s rise (or fall?) into organised crime, from his first offences including software piracy and phone hacking, to system administration of one of the largest cyber-criminal discussion forums on the Internet. More modern than The Cuckoo’s Egg or even Ghost in the Wire, Kingpin gives a fantastic insight into the world of cybercrime in the late 1990s and early 2000s, a period of time when criminals were starting to make serious money from online fraud – particularly from stealing credit card numbers and associated details – so called carding, and law enforcement agencies were struggling to control this rapidly growing new threat.
A large part of Kingpin discusses the underground discussion forums where cyber-criminals share tools, tactics, and information, including the now infamous Shadowcrew forum. One of the themes of Kingpin is law enforcement’s frequent inability to keep up with technology and the new types of crimes it enables – this is especially true in the early days when Max commits his first crimes. The material here is really the stuff of thrillers as a cat-and-moues game develops between the carders, the FBI whose undercover agents try to infiltrate the groups and their servers, and even between the hackers themselves as they compete for notoriety in an atmosphere of distrust. It is at this point that Butler pulls off his most notorious hack – the infiltration and subsequent hostile takeover of rival carders’ forums – including DarkMarket – to create his own central criminal marketplace, CardersMarket.
One of the great takeaways from Kingpin is the answer to the question curious Computer Science and ITGS students often ask: ‘How do you hack?’. Poulsen explains in candid detail how Butler and his associates circumvented security in their target systems, including exploiting known vulnerabilities in software (flaws in BIND and VNC are discussed), hijacking WiFi connections, and taking advantage of systems that still use default passwords. In one of his bigger hacks, Butler takes advantage of a security lapse at a restaurant that stores unencrypted credit card details in text files on their systems. These examples do a great job of highlighting how security breaches are often caused by simple human error and can be relatively easily exploited – a great lesson for students on the importance of general good security practices such as choosing secure passwords and keeping systems patched and updated.
One aspect of Kingpin that disappointed was the lack of focus on the social impacts of carding, and Butler’s crimes in particular. Although loss figures scatter the book (when Butler was arrested the affected banks calculated the total losses at over $86 million), these are almost used as yardsticks to measure the success of each hack – little space is dedicated to the effects on the banks or their customers, almost giving the impression that such fraud is a victimless crime. In a similar vein, throughout the book Poulsen tends to paint a picture of Butler as a misunderstood geek, almost a Robin Hood character driven by a pathological need to hack computer systems. Poulsen does use his own knowledge (he is also a former hacker) to provide a fantastic insight into the hacker mindset, but I would have liked to have seen a little more balance.
Overall though, Kingpin is a thoroughly entertaining book – I read it in just two sittings – that I feel many ITGS students would enjoy. At 239 pages it is short enough to maintain students’ interest and is modern enough to provide a wealth of material to which they can relate. Although its coverage of the social impacts of hacking is limited, its clear explanations of hacking attacks and the apparent ease with which they were performed make reading it an eye-opening experience. There is a lot of potential here for discussion material in the ITGS classroom, including security practises, organisational responsibility to secure personal data (and report breaches if they occur), the difficulty of enforcing law online, and the fine line between white hat and black hat hacking. This could keep ITGS students busy for some time!