This story began last year, when I became aware of the HVAC compromise, and gathered information about it to turn over to FBI.  Throughout the process, I have been very impressed with the technical skill and responsiveness of the FBI agents.  I am also very happy with this outcome.  This may serve to educate organizations with control systems about the threats and vulnerabilities that are possible, and put other “script-kiddie” type hackers on notice that they can be tracked down and prosecuted for their actions.

The press release for the guilty plea is not yet available on the DOJ website, but the following articles are available:

• Security guard pleads guilty to hacking his employer - Bob McMillian, IDG News Service
• Hacker Known as “GhostExodus,” Who Broke Into Carrell Clinic Computers, Pleads Guilty – Robert Wilonsky, Dallas Observer (This article has the complete text of the DOJ press release)
• Arlington man pleads guilty to hacking medical clinic’s computers – Nathaniel Jones, Star Telegram

I have a large collection of PDFs of court filings for this case, which I may post with commentary at some point soon, now that he has entered a guilty plea.  The PDFs make for interesting reading and a wild ride, and I don’t know of any other resources that have good documentation of a hacker case.  I’m looking forward to going through them again.

For those of you who are new here: This is obviously not how I roll.  Not only is it not something I would do (protip: don’t do pentesting for free), but the capitalization is awful.

Our good friend MR^E of the ETA dropped by this earlier in the day also, to leave troll comments and launch a pointless spider/scan against the site (again), so I figured I’d take a look and see what’s going on over at their new site, hackserver.org:

Wow!  MR^E figured it out before I did!  When asked about it by another member, he responded:

Stumbling across it before it even has a chance to get indexed by Google?

I’ll leave the conclusions as an exercise for the reader.

Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.

The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.

I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture:

If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.

If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.

If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

• http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-1/
• http://www.mcgrewsecurity.com/2009/07/02/ghostexodus-part2/
• http://www.mcgrewsecurity.com/2009/07/06/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-3/
• http://www.mcgrewsecurity.com/2009/07/07/ghostexodus-part4/
• http://www.mcgrewsecurity.com/2009/07/23/ghostexodus-indicted-for-control-system-incident/
• http://www.mcgrewsecurity.com/2009/08/21/cisco-weighs-in-on-the-ghostexodus-control-systems-incident/

• Hacked! Dallas Federal Grand Jury Indicts Electronik Tribulation Army’s GhostExodus

If convicted, he faces up to 10 years in prison, and $250,000 in fines and restitution.

Meanwhile, the remaining members of ETA are a lot more quiet than they used to be.  XXxxImmortalxxXX, now also known as “system666″, is still a member of ETA, according to his signature on this forum, despite being the one that inadvertently tipped me off to GhostExodus’ activities:

• Very Basic tut – SecurityTeam / Hackers Gr0up

The Fixer, a member, or at least former member, is confused about the difference between the script kiddie hacker group ETA and the Basque seperatist group ETA (“Euskadi Ta Askatasuna”):

• Hack Forums – Another ETA Member Arrested

If you’d like to catch up, here are the previous posts in this series:

• Part 1
• Part 2
• Part 3
• Part 4

If I had the stamina and will to maintain a “skiddie clown quote of the day” for any length of time, this would be a prime candidate.  Especially this part:

im sick of being hacked ive done nothing wrong expect steal about 200 passes

Looking at posts like this got me to thinking about this scene’s combination of wanting to learn about “hacking”, inexperience, and the desire to do something immediately “fun” (important point: they want to jump straight to 0wnage, with a minimum of time studying how).  It reminded me of a phenomenon I was seeing on forums like this a while back, where members were becoming aware of the CSIS and SANS US Cyber Challenge competitions:

• SANS Institute – US Cyber Challenge

These challenges are geared towards high school students and undergraduates, and it gives them a interesting and competitive outlet for exercising skills that might otherwise be used for more script-kiddie-like endeavors.  In addition, it helps give them motivation to learn new skills that’s missing when you have an entire Internet’s worth of computers out there that have vulnerabilities you already know how to exploit.  In a recent interview with Forbes, the director of SANS, Alan Paller, stated the logic behind this kind of competition well:

“Offense must inform defense,” he says. “We’d like it to be just training defenders, but if they don’t know how attacks are performed, they’ll be incompetent.”

It might work, too.  If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.

This might be what some of the people on these forums are looking for.  I’ve already witnessed an entire “hacking group” that normally occupies themselves with web defacement split into teams and sign up for the DC3 forensics challenge.  On another site, I noticed that GhostExodus, before he was arrested, had signed up for the DC3 challenge as well, as had XXxxImmortalxxXX (the guy who bragged to me about GhostExodus’ hacks).

Maybe in the near future, activities like the US Cyber Challenge will get people like this on a productive path before they wind up getting into trouble.

• Part 1 – Definitely read the criminal complaint.
• Part 2 – Watch some videos

In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online.  These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there).  When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.

What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software.  HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements.  The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.

Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system).  HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system.  While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak.  Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.

Let’s take a look at the shots (click them to see them at full resolution):

In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital.  The most interesting thing here is the dialog box, “BACtalk Alarm”.  The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future.  An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs.  The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.

Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5).  Among other things, you can see the open/closed status of the vents in various rooms.  The buttons to the right of these status could be controls to toggle the status.  I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is.  If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)

Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory.  Operators have to be trained to understand the elements of each system.  This one’s not really that bad compared to a lot of them, though.

This is the scary one.  It’s a list of parameters for systems in a “Surgery Center” or operating room.  Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off.  I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.

These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:

Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki

In reality, GhostExodus compromised the system with physical access as a night security guard.  It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols.  It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.

GhostExodus followed up in the same thread on warezscene with this post:

nice. You almost can’t help it ya know. It must be done!

Hopefully this isn’t something many people feel compelled to do.

Yesterday afternoon was GhostExodus’ detention hearing.  I’m not very familiar with the process one goes through after being arrested for something like this, so I had to look up what this meant.  I found the following site which, I believe, explains detention hearings well:

• http://bennettandbennett.com/blog/2007/08/detention-hearing-in-federal-court.html

(Looks like a cool site beyond this, even.  Kind of a legal equivalent to the blog I run here.)

I was informed yesterday afternoon that the Judge in this case found that there was probable cause to detain Jesse McGraw while the case is pending.

Here are some links to the coverage this is getting.  I’m linking articles that I think my readers would enjoy, especially those where the reporters were thorough enough to contact me personally to get the stories:

• http://www.theregister.co.uk/2009/07/01/hospital_hacker_arrested/
• http://www.pcworld.com/businesscenter/article/167756/security_guard_charged_with_hacking_hospital_systems.html
• http://blogs.dallasobserver.com/unfairpark/2009/07/hacking_the_hacker_ghostexodus.php

The members of the press I’ve talked to on the phone and over IM have been very nice.  There are many more stories than this, you can poke around on Google News if you like, but your best source of technical information for fellow security and control-systems folks is going to be right here, of course :)

Now, time to break out the popcorn.  Here are two of the most interesting videos that were posted to GhostExodus’ youtube accounts.  It’s my understanding that these videos were played in court yesterday.  After each video, I’ve summarized some points of interest in each video:

• “Post July 4th” is a strange choice of title here, as it’s before July 4th, and in preparation for the attacks scheduled for the 4th
• He’s recording this by holding his laptop in front of him (reflections in elevator)
• Claims to have infiltrated corporate offices, but it’s obviously a medical facility
• Watch for medical charts and such on the walls when he sits down
• Appears to be the collar of a security guard uniform peeking out of the top of the hoodie
• The FBI identified this computer at the clinic by the toy flamingo on top of the monitor

• This was recorded at a desk at the hospital where McGraw was a security guard.
• I thought about buying one of those camera pens until I saw this.  Not inconspicuous.
• Showing off your fake FBI credentials on youtube isn’t very smart.

I will continue this series with more posts, discussing the HVAC compromise, how I came to be aware of it, and the techniques I used to gather information on the suspect.  Still pooped from talking to so many people about this, but I’m enjoying spreading the gospel of control-systems security ;)

Naughty avatar censored, but I kept the language in case you want to try and make any sense of this chunk of thread.  PsyKon-X’s contribution is particularly hard to read through:

Perl does indeed work my friend but the coders in which the perl hack was designed for are being patched faster than the hacker is making the perl scripts, and also depends on if the person using the script for example is using phpbb and hasnt patched it with the new version this is vulnrable

Diagram that sentence.

All of you whitehats posting scripts to milw0rm are killing the perl hacking scene ;-).

I was getting bored of the call, and decided to fire up Audacity, in order to record some of his profane rants and play them back to him.  Once he wrapped his head around the fact that I was able to record the call, he decided that he wanted me to record a message to post here, on my website.

The following, is that message.  While I took this as an opportunity to play around with iMovie, I haven’t censored any of the language or idiocy that’s present in his audio.  If you are easily offended, then you might not want to watch.  If you’re at work, well, you might want to save this till you get home, or get some headphones :)

Edit: Yousif apparently didn’t like the fact that this video was in the “Related Videos” box for the commercial he made ripped off from Lanier Leather for his affiliate marketing site.  He managed to report the YouTube version of this video into oblivion, so here it is on metacafe:

Edit: Awesome comments down below.  Glad you could join us, Mark.  I guess this is where you can contact him for the time being.

Posts like this don’t have much technical content, but they’re fun, and the last one has been a wildly popular part of the site.  While you’re laughing your butt off, I hope you take away the real message here: do some background research on who you’re dealing with in the computer security scene.  If you got here by googling up information on this particular skiddie, then you’re already one step ahead of the game.  Just because someone has a legit-looking website and blog doesn’t mean they’re on the up-and-up :)

Since my first post about Yousif’s activities, I’ve had the pleasure of many late-night phone calls from him, being DOS’d for about a half hour, and having his friend threaten to hack my coffee maker.  I was promised a beat-down at Black Hat, although I unfortunately could not make it.  I am, however, sort of disappointed that I don’t warrant being stabbed, like Yousif has threatened to do to Lee Hinman over at the excellent writequit.org blog.  He is, however, willing to pay someone else to do the dirty work.

In the meantime, he hasn’t let up in his activities.  He has been hanging out on an Internet marketing forum, although his taste for script-kiddie hacking has not subsided.  He still has a penchant for attacking sites outside of well-defined pen-tests, still loves to threaten people who correct him, and runs his own small botnet.

Apparently looking to supplement his vapt-sec.com income with some cost-per-action fraud, he’s been hunting around for cohorts to develop software to fill out forms and offers on CPA advertisers, and to come in through his referral links from multiple IP addresses to fill out forms.  I took this as an opportunity to form my own “black hat” alter-ego, and have a good heart-to-heart chat with Yousif.  After a couple of boring evening chat sessions building up my “black hat” cred with him, he began to open up.

The following are some choice excerpts and quotes.  I’ve censored both his language and mine.  I do swear in-person, occasionally on IRC, and rarely on the blog, however I did ratchet it up about 12 notches with “elite yousif”, to build rapport.

Since he gets others to write his software for him, he occasionally gets his languages confused:

11:03:05 PM elite yousif: So
11:03:12 PM elite yousif: You know anyone who has botnets
11:03:39 PM bhb: i have a couple friends who might.  have a need?
11:03:50 PM elite yousif: Yeah
11:04:37 PM elite yousif: It’s quite helpful in CPA
11:05:16 PM bhb: yeah i was thinking of writing some code to work through a botnet, filling stuff and using the random ID generator
11:05:27 PM elite yousif: No need, lol.
11:05:35 PM elite yousif: I’m making something like that as we speak.
11:05:39 PM bhb: nice
11:05:50 PM bhb: what language do you code in
11:06:01 PM elite yousif: What language did I code this in?
11:06:11 PM bhb: yah
11:06:41 PM elite yousif: Net
11:06:54 PM bhb: c#
11:06:55 PM bhb: ?
11:07:21 PM elite yousif: nope
11:07:22 PM elite yousif: .NET <
11:07:29 PM elite yousif: Microsoft, ya know?
11:08:01 PM bhb: .net’s a platform, theres lots of languages you can code targeting .net
11:08:06 PM bhb: vb.net maybe?
11:08:13 PM elite yousif: Yeah, that’s right.
11:08:21 PM elite yousif: Vb.NET <

Don’t mess with this guy.  Especially in school:

11:56:56 PM elite yousif: No one ***** w/ me..
11:56:59 PM elite yousif: No one @ all.
11:57:02 PM elite yousif: Not even in school
11:57:03 PM elite yousif: They know
11:57:05 PM elite yousif: I can change their grade
11:57:09 PM elite yousif: expell them
11:57:10 PM elite yousif: frame them
11:57:11 PM elite yousif: etc
11:57:17 PM elite yousif: I can drop your docs too
11:57:21 PM elite yousif: know what shoe size you wear
11:57:23 PM bhb: heh nice
11:57:25 PM elite yousif: know your fam history
11:57:27 PM elite yousif: CC
11:57:29 PM elite yousif: S#
11:57:30 PM elite yousif: where u live
11:57:30 PM elite yousif: etc
11:57:59 PM bhb: knock some kiddies on their ***** online lol
11:58:18 PM elite yousif: lol
11:58:59 PM bhb: ***** haters lol
11:59:09 PM elite yousif: I know AOL internals too
11:59:11 PM elite yousif: ppl who work there
11:59:13 PM elite yousif: with high privs.
11:59:14 PM elite yousif: can easily
11:59:16 PM elite yousif: hi jack
11:59:19 PM elite yousif: any AOL/AIM account
11:59:22 PM elite yousif: and get info behind it
11:59:23 PM elite yousif: =D
11:59:31 PM elite yousif: i social engineer as well
12:00:08 AM bhb: hah that’s useful

A social engineering mastermind, to be sure.

Here, he’s a little sore that his affiliate program dropped him after figuring out his referrals weren’t legitimate:

12:03:12 AM elite yousif: you haven’t made any money in CPA yet?
12:03:43 AM bhb: haven’t even started.  just been reading up on it on the side, besides coding and work
12:04:30 AM elite yousif: ah
12:04:40 AM bhb: you made much?
12:04:42 AM elite yousif: I got my account terminated
12:04:45 AM elite yousif: 2 days ago
12:04:48 AM elite yousif: from a network
12:04:52 AM elite yousif: ***** bro, i swear
12:04:52 AM bhb: haters
12:04:53 AM elite yousif: I lost
12:04:56 AM elite yousif: 2000+ dollars
12:04:59 AM elite yousif: I better get my ***** back
12:05:00 AM elite yousif: OR
12:05:08 AM elite yousif: I’m gonna make my affiliate managers life a living HELL
12:05:14 AM elite yousif: I have access to her AIM account
12:05:15 AM elite yousif: verizon
12:05:17 AM elite yousif: photobucket
12:05:19 AM elite yousif: paypal
12:05:20 AM elite yousif: blogger
12:05:23 AM elite yousif: and some other *****
12:05:25 AM elite yousif: and facebook
12:05:29 AM elite yousif: she doesn’t know it yet
12:05:31 AM elite yousif: but I phished that *****

Bragging about taking down RSnake’s site (note: there’s an excellent chance this never really happened):

3:00:44 AM elite yousif: you know rsnake?
3:00:46 AM elite yousif: robert hansen
3:00:48 AM elite yousif: famous as *****..
3:00:49 AM bhb: yeah
3:00:51 AM elite yousif: k
3:00:51 AM elite yousif: well
3:00:53 AM elite yousif: his site
3:00:54 AM elite yousif: let me find it
3:01:03 AM bhb: ha.ckers.org or something
3:01:22 AM elite yousif: nah
3:01:23 AM elite yousif: his company
3:01:29 AM bhb: oh i dunno
3:02:26 AM bhb: sectheory?
3:02:58 AM elite yousif: yeah
3:02:59 AM elite yousif: rofol
3:03:02 AM elite yousif: i ddosed that
3:03:03 AM elite yousif: with my friend
3:03:04 AM elite yousif: in like
3:03:05 AM elite yousif: what
3:03:06 AM elite yousif: maybe
3:03:09 AM elite yousif: 3 mins
3:03:10 AM elite yousif: it was down
3:03:14 AM elite yousif: some security expert eh?

If there were any doubts about how he’s taking part in CPA fraud:

4:44:10 PM bhb: how are you supposed to make any money at it if you arent botting it anyways lol
4:44:25 PM elite yousif: what do you mean?
4:44:48 PM bhb: like automating it through a bunch of proxies/bots
4:45:02 PM bhb: how can you find that many people wanting to do it legit to keep making money
4:45:14 PM elite yousif: lol
4:45:17 PM elite yousif: u infect more victims
4:45:22 PM elite yousif: you market your trojan or w.e.
4:45:27 PM elite yousif: and more ppl open it
4:45:37 PM bhb: heh yeah so a loose definition of “legit” lol :D
4:45:48 PM elite yousif: yep
4:45:48 PM elite yousif: lol
4:45:59 PM elite yousif: you know what company is cool though?
4:46:03 PM bhb: you have nice custom trojans for it?
4:46:03 PM elite yousif: ******
4:46:10 PM elite yousif: i talked to the owner
4:46:10 PM bhb: cool you work with them too?
4:46:12 PM elite yousif: really cool guy
4:46:14 PM elite yousif: says
4:46:18 PM elite yousif: i can do black hat if i want
4:46:21 PM elite yousif: and he wont term. my account

Then, I managed to get him on the subject of yours truly :):

5:02:12 PM elite yousif: LOL
5:02:19 PM elite yousif: http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0545.html
5:02:21 PM elite yousif: that link u sent me
5:02:25 PM elite yousif: i know the guy who wrote that
5:02:27 PM elite yousif: wesley mcgrew
5:02:30 PM elite yousif: that dude is such a *****
5:02:36 PM bhb: he talks like one
5:03:01 PM elite yousif: he started talking ***** about my business and me because he claims that i hack around sites without permission and that i gave him access to my computer, WTF..
5:03:25 PM elite yousif: so i told him to go to black hat in vegas, and he said hes not going this year — i told him if i saw him id tackle him

I’m not really sure if the following about the director of Black Hat contacting him is true (I never contacted the Black Hat folks about it, since it’s not really a credible threat).  He probably just made it up after he found out how much Black Hat costs:

5:05:11 PM elite yousif: u know what he did
5:05:11 PM elite yousif: he spoke with teh director of black hat
5:05:11 PM elite yousif: and he told him that i would beat his ***** if i saw him
5:05:11 PM elite yousif: so he got scared
5:05:11 PM elite yousif: so the director listened to him
5:05:20 PM elite yousif: and said i cant attend black hat this yea
5:05:20 PM elite yousif: year*
5:05:38 PM bhb: lol that’s hilarious did the director email you or something
5:05:44 PM elite yousif: no he IM’d me
5:05:51 PM bhb: ahah
5:05:52 PM elite yousif: then i followed his profile and he actually WAS the director of black hat
5:05:54 PM elite yousif: oh well
5:05:59 PM elite yousif: he knew i wasn’t kidding

This did happen, although he and his friends would usually get bored and give up after a few calls:

5:06:00 PM elite yousif: i called him
5:06:03 PM elite yousif: 1000 times
5:06:07 PM elite yousif: i cussed him out badly
5:06:12 PM elite yousif: and i demanded to talk to his wife
5:06:14 PM elite yousif: so i can cuss her outtoo
5:06:17 PM elite yousif: her out too*
5:06:18 PM elite yousif: but he wouldn’t elt
5:06:20 PM elite yousif: let*

Remember kids, don’t DDOS on a school night:

5:14:51 PM elite yousif: ask him if i DDoSed his *****
5:15:03 PM elite yousif: he’ll either lie and say ‘it’s server issues @ night” or he’ll admit like a ***** i owned him
5:15:25 PM bhb: hah what an idiot.  how long did you ddos him for
5:15:36 PM elite yousif: for about 2-3 hrs
5:15:42 PM elite yousif: i was bored and it was late
5:15:45 PM elite yousif: i had school next morninig
5:15:47 PM elite yousif: so i let him go
5:15:48 PM elite yousif: lol

There’s a $400 bounty on my head.  My wife, a friend, and I considered faking some photos and video to claim it, but I guess we’re just too nice:

5:33:36 PM elite yousif: can you go to missipi?
5:33:39 PM elite yousif: ill pay you like
5:33:42 PM elite yousif: 400
5:33:44 PM elite yousif: to beat his ***** for me
5:33:46 PM elite yousif: no joke
5:34:03 PM bhb: lol maybe if im hard up for some money one day
5:34:14 PM bhb: you should definitely go though, that ***** would be classic
5:34:28 PM elite yousif: do u know anyone would do it?
5:34:34 PM bhb: show all the whitehats that you dont ***** with the blackhats cause they take it into RL
5:34:36 PM elite yousif: i seriously will pay $400 for it
5:35:06 PM bhb: i dont know anyone up for that but it shouldnt be too hard to find
5:35:20 PM bhb: lol craigslist, i bet theres tons of local rednecks there that would do it
5:35:27 PM elite yousif: lol
5:35:35 PM elite yousif: id rather talk to someone i already know
5:36:03 PM bhb: hah just tell them the money transfers when you see a jpg of his bloody nose lol
5:36:33 PM elite yousif: rofl
5:36:35 PM elite yousif: good idea
5:37:28 PM bhb: http://northmiss.craigslist.org/
5:38:10 PM bhb: i dunno what category lol
5:38:15 PM elite yousif: lol
5:38:17 PM elite yousif: murder
5:38:20 PM bhb: loool
5:39:57 PM bhb: services – labor & moving, that probably has the most steroid pumped rednecks
5:40:15 PM elite yousif: lol
5:40:21 PM elite yousif: bro i would never do it off tehre
5:40:27 PM elite yousif: ***** u know feds just hang out there
5:40:30 PM elite yousif: waiting for somone to ***** up

I’ll leave you with the last words he had to say to my dummy AIM account:

7:28:14 PM elite yousif: yo
7:28:30 PM elite yousif: is there a way to make your cd burner recognize dvd-r’s?

Brilliant.