Some estimates put the financial damage caused by his online hacking spree at around $1.7 billion.
But Mafiaboy reiterates that his overall motive in launching those devastating hacking attacks nine years ago were “definitely not criminal.”
“It was all about exploration and taking out my opposing hacker groups,” Michael Calce alias Mafiaboy told attendees at the recently held IT360 conference in Toronto, where he was interviewed journalist Craig Silverman, who co-authored the book Mafiaboy: How I Cracked the Internet and Why It’s Still Broken with him.
Read related stories:
In the year 2000, the so-called “exploratory” denial-of-service attacks by Calce – only 15 years old and a high school student at the time – wreaked havoc on large commercial Web sites including Yahoo!, Amazon.com, Dell, E*TRADE, eBay, and CNN.
Calce was apprehended in April 2000 during a late night raid by Montreal police, but records from his trial indicate that at the time he showed no remorse and had expressed a desire to move to Italy for its lax computer crime laws.
But he eventually pleaded guilty to 56 charges, was sentenced by a Montreal youth court in September 2001, and served eight months in a group home facility.
At IT360 Calce detailed the events leading up to his attacks and subsequent capture.
He said he was part of a Russia-based hacker group fighting for supremacy against other gangs.
“At the time, two main rivals were going head to head – and it was a huge clash.”
The former hacker said he thought he could get ahead of the game by creating a tool capable of launching a mass denial of service attack, along with a few other persons.
In those days, he said, denial-of-service targeted individual systems, through programs such as Teardrop that mainly affected Windows 3.1, 95 and NT machines.
The Smurf attack — which floods a target system via spoofed broadcast ping messages — was probably closest to a mass denial of service, he said. “But I decided to take it to a whole new level. And it wasn’t easy.”
Even eight years ago, he said, Yahoo’s advanced network topology was backboned by serious routers and switches. “I wasn’t sure if it was going to work.”
Calce said he realized the full import of what he had accomplished when he visited Yahoo and read the message: Error. Page not found. “Then I saw [my attacks] were more effective than I thought they would be.”
And the said, his motives shifted once more, moving beyond the desire to earn boasting rights.
“I realized there was a lot of buzz going around in the community and people were wondering: who is capable of carrying out such an attack. I realized, maybe I can claim the credit and use it against them … saying: listen, this is what will happen if you go against us.”
He sought to get that point across through conversations in IRC chatrooms.
In was because of these postings, in which where Calce claimed responsibility for the attacks, that he came to be noticed by the FBI in the U.S. and the RCMP.
When did he figure the game was up?
“The exact moment I felt that was when [former U.S. president] Bill Clinton convened a cybersecurity summit,” Calce told the packed hall at IT360. “I realized then there are obviously some people coming after me.” The special summit was called in the days following the attack.
Calce’s immediate reaction was to get rid of the evidence — “destroy the hard drive, smash it up, douse it in liquid, throw magnets on it and ditch it in the river.”
He said he also carefully followed news reports, some of which claimed he was from Toronto. “Then I read there were 60 FBI units trying to apprehend me and started to face the fact they were getting pretty close.”
Calce spent much time during the interview detailing how hacking has changed since when he was one of its chief practitioners.
In those days, he said, hacking was more along the lines of exploration and we were battling one another. “We didn’t take alley fights into public domains.”
In marked contrast, he said, today the number one motive is obviously monetary gain.
He said the anonymity that cyber crime provides is one reason why the criminal mind is drawn to the Internet. “You set out to physically rob a bank and there’s huge liability and risk. But with computer fraud you can mask your identity.”
Today, he said, there are underground communities where all kinds of information is traded … bank data, credit card numbers.
“And the perpetrators aren’t groups of kids battling one another any more. They’re serious criminals, making ties across the globe, and finding new ways to infiltrate your infrastructure.”
Do it yourself attack kits
Calce highlighted two – seemingly paradoxical trends – the increasing sophistication of attacks coupled with the growing simplicity of execution.
Nine years ago to launch a mass denial of service, he said, he had to create a complete network of UNIX operating systems.
Today, he said, with the botnets, phishing kits and other tools you can rent, it’s all one click. “And then you just keep checking tabs to see how many new computers you’ve compromised. It’s just becoming easier and easier.”
And accessing these really dangerous tools is also simplicity itself, he said. “Instead of buying a CD online, you could buy a botnet – just to have fun and shut people down.”
At a corporate level too, he pointed to the problems caused by dramatic bandwidth increases.
“When I was launching attacks in 1999, employees on dialup connections. Now all businesses are on broadband.” This glut of bandwidth out there, while making work easier, has also intensified security risks, Calce said.
No Interac cards for me
The Internet, he said, is fundamentally insecure and reality is at the root of all online breaches.
“Just go to securityfocus.com and you’ll see buffer overflows being reported and all kinds of exploits … constantly.”
In that sense, he said, things really haven’t changed significantly since years ago. “There are still vulnerabilities being uncovered almost nearly every day.”
For this reason, he said, electronic financial transactions are fraught with risk, and those who rely on them naïvely put convenience over security.
“I have problems with online banking, for instance,” said MafiaBoy. “I don’t believe in that system and prefer to walk 2 kms to a bank.”
He doesn’t make debit card purchases at retail stores for the same reason. “There are gas stations which have card readers set up. You enter your PIN and poof … you try to use you bank card again and half your funds are missing.”
Conficker scare – a ruse
In the world of hacking today, the former hacker suggested it’s not the sensational events you should be really worried about, but all the stuff that flies under the radar.
He cited the Conficker scare as an example of this.
“Everyone thought it would run amuck on April 1 – and then nothing happened. But that was part of the ploy. It was the same with Y2K. People expect a catastrophe … and then nothing happens and people forget about it.”
He said people should be worried that someone still has access to all those computers “and is gaining more machines as we speak.”