What exactly is the government planning to do with Mafiaboy’s 160 bucks?
That was the laughable fine, along with the equally pathetic eight-month sentence, imposed on the 17-year-old hacker yesterday by a Montreal court. After instigating distributed denial-of-service attacks on Yahoo, Buy.com, eBay and other major portals that caused some US$1.7 billion in damage, Mafiaboy must cough up less than the price of the average CD-ROM drive.
But then, what were they going to do? He’s a young offender, and this is how we deal with young offenders in this country. In light of the terrorist attacks on the World Trade Center and Pentagon Tuesday, Mafiaboy’s criminal activities now seem like an impish prank.
Though prosecutors said they hoped the sentence would send a strong message against the world’s hacker community — which isn’t likely — there has been little to no comment by any of the companies affected. If North America wasn’t trying so hard to get over the recent violence, they might have been more vocal. Or maybe not: there is every reason to think the companies behind the portals were utterly embarrassed to be taken down by a near-child, given how much lip-service they’ve paid to importance of security on their sites.
Almost 18 months after Mafiaboy made his mark on high-tech history, it doesn’t feel like the industry has learned much from the incident. Earlier this year Microsoft, of all companies, was left red-faced after DDoS attacks effectively blockaded users from its Web sites for more than two hours. In the scrutiny that followed, the world learned that Microsoft used a single switch to connect its DNS servers. This is not an architecture that demonstrated a well thought-out security strategy; it looked more like an a solution for one-stop-hacking. Does this sound like the behavior of an industry leader?
Companies that play the victim following these attacks don’t just risk losing credibility with commercial customers. They also potentially face the wrath of service providers, who often bear the brunt of customer outrage and frustration when they can’t navigate the Internet properly.
Things aren’t helped by the widely-available DDoS tools that have been flooding the Internet since 1999. Even a few months ago, the U.S. National Infrastructure Protection Center sent out warnings about the 1i0n Linux worm, which exploits a vulnerability in DNS software. While security firms try to convince corporate enterprises to buy another firewall, why isn’t there more of a collective effort to address the ongoing holes in the Berkeley Internet Name Domain, or BIND, that would give customers some real piece of mind? This is one case where the decision to upgrade should not be ignored. BIND V. 9 is apparently safe from the flaws that could bring sites down, but there has to be more advocacy and awareness-building from the industry to communicate it to customers.
It took Mafiaboy to put DDoS and the infrastructure issues surrounding it on the map. His trial may be over, but that doesn’t mean the case should be closed.