By Kevin Poulsen
July 11, 2006
A federal appeals court upheld a nine-year prison term Monday for a hacker
who tried and failed to steal customer credit-card numbers from the Lowe's
chain of home improvement stores.
Brian Salcedo, now 23, has been in custody since 2003, when an FBI
stakeout caught him and a partner breaking into several Lowe's networks
over an unsecured Wi-Fi connection at a suburban Detroit store.
Under Monday's ruling, Salcedo will not be eligible for release until May
Assistant U.S. attorney Matthew Martens, who prosecuted the case, said the
sentence is long, but appropriate. "I hope it achieves, not only justice
in this case, but deterrence to other people thinking about doing
something similar," Martens said.
Salcedo's partner in the abortive caper, 22-year-old Adam Botbyl, has less
than two months left on a sentence of 26 months for his role in the plot.
After serving most of that time in custody, Botbyl is now in a halfway
house in Detroit.
According to court records, Botbyl stumbled across the unsecured wireless
network at the Southfield, Michigan, Lowe's in the spring of 2003, while
he and a roommate were wardriving the area in search of Wi-Fi hot spots.
He returned six months later with Salcedo, who was on the last month of a
three-year probation term from a juvenile computer crime conviction.
Together, the pair discovered they could jump from the Southfield Lowe's
to the company's central data center in North Carolina, and from there to
the local networks at stores around the country.
Lowe's detected the intrusions and called in the FBI, who staked out the
store parking lot. The agents eventually spotted Botbyl's Pontiac Grand
Prix, bristling with antennas and occupied by two young men typing on
laptops. The agents watched them work for 20 minutes, then trailed them to
a Little Ceasar's pizza restaurant and a local multiplex, while Lowe's
security team worked to figure out what the hackers had done.
They discovered that at two of the stores -- in Long Beach, California,
and Gainseville, Florida -- the pair had modified a proprietary piece of
software called "tcpcredit" that Lowe's used to handle credit-card
transactions, changing the program so it would stash customer's
credit-card numbers where the hackers could retrieve them later. The
program had collected only six credit-card numbers when it was discovered.
The FBI arrested Salcedo, Botbyl and -- apparently mistakenly -- Botbyl's
roommate, Paul Timmins, who later pleaded guilty to a misdemeanor for
using the Wi-Fi network to check his e-mail. Salcedo and Botbyl pleaded
guilty to conspiracy and computer fraud in plea agreements with
Though there's no evidence either man saw a single stolen credit-card
number, and despite cooperating to help Lowe's boost its security after
his arrest, Salcedo was sentenced to what the government described at the
time as the longest U.S. prison term for a hacker in history.
The sentence was largely based on the amount of harm that would have
resulted had the plan succeeded. On appeal Salcedo's lawyer argued that
the hacker's sentence should have been commensurate with the actual damage
he caused, but on Monday a three-judge panel of the U.S. 4th Circuit Court
of Appeals disagreed. "We find that the district court did not err in
using Salcedo's admitted intentions to harm 250 or more victims and to
traffic the stolen information to enhance his sentence," the decision
The prison term far outstrips the sentences handed down for more
successful online thieves. For example, last month 24-year-old Andrew
Mantovani, one of the leaders of the Shadowcrew fraud ring, was sentenced
to 32 months in prison after admitting to using phishing and spamming
techniques to steal credit-card numbers, which he used to make online
Salcedo's attorney did not return a phone call Monday. Reached by phone,
Timmins said Salcedo's and Botbyl's ultimate plan was to install the
hacked tcpcredit code at all the Lowe's outlets, tapping into a torrent of
credit-card data. "It was serious," he said. But he still wasn't expecting
the sentence to survive appeal.
"I'm just kind of surprised that they upheld it," he said. "That's an
incredibly long time."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.