[ISN] Crazy-Long Hacker Sentence Upheld

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 22:44:07 PDT


By Kevin Poulsen
July 11, 2006

A federal appeals court upheld a nine-year prison term Monday for a hacker 
who tried and failed to steal customer credit-card numbers from the Lowe's 
chain of home improvement stores.

Brian Salcedo, now 23, has been in custody since 2003, when an FBI 
stakeout caught him and a partner breaking into several Lowe's networks 
over an unsecured Wi-Fi connection at a suburban Detroit store.

Under Monday's ruling, Salcedo will not be eligible for release until May 

Assistant U.S. attorney Matthew Martens, who prosecuted the case, said the 
sentence is long, but appropriate. "I hope it achieves, not only justice 
in this case, but deterrence to other people thinking about doing 
something similar," Martens said.

Salcedo's partner in the abortive caper, 22-year-old Adam Botbyl, has less 
than two months left on a sentence of 26 months for his role in the plot. 
After serving most of that time in custody, Botbyl is now in a halfway 
house in Detroit.

According to court records, Botbyl stumbled across the unsecured wireless 
network at the Southfield, Michigan, Lowe's in the spring of 2003, while 
he and a roommate were wardriving the area in search of Wi-Fi hot spots.

He returned six months later with Salcedo, who was on the last month of a 
three-year probation term from a juvenile computer crime conviction. 
Together, the pair discovered they could jump from the Southfield Lowe's 
to the company's central data center in North Carolina, and from there to 
the local networks at stores around the country.

Lowe's detected the intrusions and called in the FBI, who staked out the 
store parking lot. The agents eventually spotted Botbyl's Pontiac Grand 
Prix, bristling with antennas and occupied by two young men typing on 
laptops. The agents watched them work for 20 minutes, then trailed them to 
a Little Ceasar's pizza restaurant and a local multiplex, while Lowe's 
security team worked to figure out what the hackers had done.

They discovered that at two of the stores -- in Long Beach, California, 
and Gainseville, Florida -- the pair had modified a proprietary piece of 
software called "tcpcredit" that Lowe's used to handle credit-card 
transactions, changing the program so it would stash customer's 
credit-card numbers where the hackers could retrieve them later. The 
program had collected only six credit-card numbers when it was discovered.

The FBI arrested Salcedo, Botbyl and -- apparently mistakenly -- Botbyl's 
roommate, Paul Timmins, who later pleaded guilty to a misdemeanor for 
using the Wi-Fi network to check his e-mail. Salcedo and Botbyl pleaded 
guilty to conspiracy and computer fraud in plea agreements with 

Though there's no evidence either man saw a single stolen credit-card 
number, and despite cooperating to help Lowe's boost its security after 
his arrest, Salcedo was sentenced to what the government described at the 
time as the longest U.S. prison term for a hacker in history.

The sentence was largely based on the amount of harm that would have 
resulted had the plan succeeded. On appeal Salcedo's lawyer argued that 
the hacker's sentence should have been commensurate with the actual damage 
he caused, but on Monday a three-judge panel of the U.S. 4th Circuit Court 
of Appeals disagreed. "We find that the district court did not err in 
using Salcedo's admitted intentions to harm 250 or more victims and to 
traffic the stolen information to enhance his sentence," the decision 

The prison term far outstrips the sentences handed down for more 
successful online thieves. For example, last month 24-year-old Andrew 
Mantovani, one of the leaders of the Shadowcrew fraud ring, was sentenced 
to 32 months in prison after admitting to using phishing and spamming 
techniques to steal credit-card numbers, which he used to make online 

Salcedo's attorney did not return a phone call Monday. Reached by phone, 
Timmins said Salcedo's and Botbyl's ultimate plan was to install the 
hacked tcpcredit code at all the Lowe's outlets, tapping into a torrent of 
credit-card data. "It was serious," he said. But he still wasn't expecting 
the sentence to survive appeal.

"I'm just kind of surprised that they upheld it," he said. "That's an 
incredibly long time."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 22:52:15 PDT