Looking at Kevin Poulsen, you'd never think he was once one of America's most notorious hackers. Hell, you probably wouldn't even believe what he is now -- a fearless and brilliant investigative reporter at Wired.com. He lives on soups from Costco and Mexican Cokes; his desktop background was a photo of his baby daughter. It took me months of working with Poulsen at Wired to place his name, check out his Wikipedia page and recall that he'd been sentenced to 51 months in jail back in the '90s for hacking.
Poulsen brings all of his background to his new book Kingpin, the story of how a hacker named Max Butler briefly became the very epicenter of the lucrative black market in stolen credit card numbers. While Butler's exploits and the disjointed efforts to catch him make for a cracking (if straightforward) crime story, that's not what makes Kingpin a milestone in the anthropology of hacking, up there with Steven Levy's Hackers. Rather, what will make this book endure is Poulsen's elegant elucidation of how the hacking world evolved from its pimply, ideological beginnings into a global criminal enterprise. He doesn't belabor the point or even indulge in the sort of nostalgia for the old days you might expect. Rather, it's a statement of fact: If your information is valuable and easy to get to, it will be stolen. And not by some cyberlibertarian with a love for Burning Man.
The mechanics of Butler's operation make for fascinating reading. Much of the credit card information he acquired did not come from e-commerce, but rather from retail establishments that improperly stored customer data. In fact, an early jackpot came from a computer Butler hacked into that happened to be sitting in a Pizza Schmizza restaurant near Vancouver, Washington, a big town north of Portland, Oregon.
His scanning put him inside a Windows machine that, on closer inspection, was in the back ofﬁce of a Pizza Schmizza restaurant in Vancouver, Washington; he knew the place, it was near his mother's house. As he looked around the computer, he realized the PC was acting as the back-end system for the point-of-sale terminals at the restaurant -- it collected the day's credit card transactions and sent them in a single batch every night to the credit card processor. Max found that day's batch stored as a plain text ﬁle, with the full magstripe of every customer card recorded inside.
This kind of data -- the "full magstripe" data -- is much more valuable than just your credit card number. Though it's just three lines of text, it can be fed into a machine like the MSR206 and encoded onto a new credit card. Hand it off to a mule, generally a pretty young women, and the next thing you know, there's a pile of expensive handbags in the trunk that can be resold for pure profit. Hackers, in the new "carder" operations, are merely the beginning of a sad, lame hustle, less Julian Assange and more pickpocket.
You don't always need to be a fan of a subculture to write about it. Outsiders writing about basketball players or ingenues or furries works just fine. Hacking isn't like that. First, it's highly technical. Second, no one will give you access to their adventures if they don't think you'll get it. Hackers stick with their own and they tend to be suspicious of the ink-stained wretches who like to caricature them. Poulsen's bona fides and oft-tested bullshit-o-meter obviously got him amazing access to Butler and his associates, so he could have written all kinds of accounts. But Kingpin isn't laudatory or moralizing. Instead, it's the first honest account of what the dark side of hacking is really like now, at once more prosaic and more dangerous than you want to believe.