The guest keynote speakers at technology conferences can be hit or miss, but Hitachi Data Systems (HDS) Canada (NYSE: HIT) certainly scored a hit by bringing in Michael Calce, aka Mafiaboy, to speak at its recent Information Forum event in Toronto.
Calce, who rose to prominence as the teenage hacker from Montreal who was the target of an RCMP/FBI manhunt following a massive directed denial of service attack that brought down the Web sites of major companies such as CNN, Amazon, Dell and Yahoo in 2000, provided a fascinating recounting of the events of a misguided youth, and a chilling warning of the dangers of over-sharing in the information age we’d all be wise to heed.
Calce got started with computing early, getting his first white box PC when he was six. He worked his way through it, devouring the manual and learning the technology, fascinated by the capability to play games and store data. Like a good Canadian, when he began to dabble in programming the first application he wrote was a program to store and keep track of his hockey card collection (he’s a Montreal Canadiens fan).
He first got onto the Web at age nine, and we can perhaps trace his troubles back to one of those ubiquitous annoyances of the 1990s: those America Online CDs that littered our junkmail, offering 30 days of free AOL service. Calce said he was fascinated by AOL and the online interaction it offered him with people around the world.
The problem was he didn’t realize that it was only the first 30 days that were free. Calce was paranoid he’d lose access to this new world he’d discovered. He was already using AOL to look for cracked versions of games (warez) because “he didn’t want to ask his parents for more, they’d done so much already” and, with his free trial running out, he found an application that allowed him to “social engineer” people on AOL.
He was able to pose as an AOL administrator and contact users, telling him there had been a power outage and he needed them to provide their account information.
“I was surprised that I was successful the fourth time I tried it,” said Calce.
His career launched and AOL access assured, Calce had his first encounter with a real hacker when he ran into a more powerful user while he was “talking smack” in a chat room. In retaliation, that user “punted” him offline and severed his AOL connection temporarily.
“I was fascinated that more capability existed, the ability to overload with data to sever the connection. I went down the rabbit hole,” said Calce.
He soon graduated from AOL to IRC chat, looking for more cracked games to download. Finding long lines of people waiting to download the pirated software, he started looking for ways to skip the line. By this time he was losing focus in school, sleeping through class and staying up all night online. Eventually he found an IRC channel that was recruiting hackers, and convinced the leader to let him learn and give him a chance. He was 11 years old.
“I felt privileged that someone was willing to give me a chance,” said Calce. “It’s really hard to start out in the hacking industry.”
The group was looking for hackers to co-opt public high speed networks like schools and use them as servers to distribute pirated software. It was all about notoriety, he said, not public gain.
“Back when I was hacking the objective was just to hack something to say you’d hacked it,” said Calce. “Today, everything is about monetary gain. Hackers have completely changed their psyche.”
When his IRC hacking group disbanded after its leader disappeared Calce became a self-described “mercenary” in an ongoing IRC war. With everyone doing denial of service attacks he decided he’s better “get suited-up” but there was only so much he could do with his Pentium 133 and a dial-up connection, often with 80 telnet windows open simultaneously. He decided to build a network of “slave” computers, controlled by a master computer, in early 2000.
“My original intention wasn’t to go after Yahoo. I wanted a weapon of mass destruction to end the hacker war,” said Calce. “It wasn’t about e-commerce. It was like a fight in a back alley that ended-up in a shopping mall.”
With his weapon constructed, Calce needed a test. It would have to be a site with lots of bandwidth and lots of users to be a true test, and at the time the obvious candidate was Yahoo.
“I figured if I’m going to run a test and see how effective my application was, why not go out with a bang with Yahoo?” said Calce. “I didn’t think it was going to work against Yahoo, to be honest.”
He set a timer to launch the attack while he was at school, likely asleep at his desk. He was oblivious to what he’d wrought until he got home and saw the buzz online.
“I though oh geez, was this a fluke, did I literally shut down Yahoo?” said Calce. “I figured I’m already in this deep so why not see how far I could go. I just couldn’t believe Yahoo had gone down.”
And reading people on IRC taking credit for his attacks, he realized maybe he had another way to end the hacker war: if people knew he was capable of shutting down Yahoo and CNN, maybe they’d back up and lay down arms.
Then he started reading about losses for e-commerce companies in the billions, and it was a bit beyond his comprehension, he said. When U.S. Attorney General Janet Reno and President Bill Clinton got involved, he knew he was in serious trouble.
“When the President of the United States holds a meeting about something you’ve done and you’re 15 years old, you know you’ve done something wrong at that point,” said Calce.
Saying he was just a “misguided youth who had too much power at his fingertips,” Calce said he has reformed his ways after serving an eight-month open sentence, one year of probation, paying a small fine and was being restricted in his use of the Internet.
Today, Calce said the bandwidth available to the average user is amazing, and a little frightening. No longer do hackers need to exploit complex networks; they can choose from millions of average users with broadband connections and little protection.“So much readily available bandwidth is not a good thing,” said Calce.
He’s now very restricted, by choice, in his online activities. He doesn’t believe in Twitter – “I’m going to get water, so what?” – and he’s on Facebook primarily to keep in touch with old high school friends. But he doesn’t update his status “every two minutes” or put too much information out there for people to read. He doesn’t do online banking, he doesn’t carry a debit or credit card, and he doesn’t shop online.
The risks, he said, are just too great, and the same inherent vulnerabilities in the way the Internet was constructed that he was able to exploit are still there. Unless and until they’re fixed, Calce said he doesn’t feel safe putting too much information online.
Of course, there’s also the question, do we need to share all that we do anyways?
Follow Jeff Jedras on Twitter: @JeffJedrasCDN.