As a teenager from Montreal in 2000, Michael Calce (then more commonly known as “MafiaBoy”) was behind one of the biggest security breaches in Internet history, a denial of service attacks that brought a litany of the day’s biggest Web sites – Yahoo, Dell, eBay and Amazon.com among them – to their knees.
Now into his mid-twenties and many years after being caught for his “Project Rivolta” attacks and spending eight months in custody and a year on probation, Calce is campaigning for greater education about security threats and warning that many of the holes he used to cripple the world’s biggest e-commerce sites are still present today.
ChannelBuzz.ca caught up with Calce after his presentation at Tuesday’s Hitachi Data Systems Information Forum 2010 to discuss his view on the state of security on the Internet.
Calce detailed for Hitachi customers and partners how he got his start in hacking at age nine quite inadvertently, seeking an alternative to asking his father to pay to renew a soon-to-expire trial membership to America Online. By 11, Calce was frequenting the Internet Relay Chat (IRC) channels of prominent hackers, having discovered them while seeking better and faster ways to find cracked video games online.
“It’s really hard to start out in the hacking industry,” Calce quipped. “I felt privileged to get the chance.”
His involvement in an IRC-based “hacker war” between rival groups resulted in him seeking a sort of “weapon of mass destruction” to both establish himself as a leader in the community and put an end to the infighting, he said. The idea was to take what he had learned about launching denial of service attacks and building a network of machines to do his bidding on a grand scale. Call it the forebear of today’s zombie botnets, but for the teenaged MafiaBoy, it was just a more efficient way of doing business.
“I had like 80 Telnet windows and 50 SSH windows open – my Pentium 133 could only do so much,” Calce quipped.
His first attack, the one that brought Yahoo to its knees for an hour, was launched via a cron job while he was in school. It was nothing personal against the search giant, Calce insists. It was just that Yahoo was one of the biggest sites of the day, and probably the best equipped to handle the kind of massive flood of requests he was fixing to send its way. When the site went down, he decided to test it against further sites. “I’m already in this deep, let’s see how far I can go,” he said he thought at the time.
Calce said he knew he was in trouble around the time that then U.S. attorney general Janet Reno and president Bill Clinton called together a summit on cyber-security. “When the president of the U.S.A. starts holding meetings based on something you did at 15 years old, you start to think maybe you’ve done something wrong,” he said.
One of the things that amazes Calce is that the botnet approach remains attractive today – in fact, way more so. Back when MafiaBoy was active, the majority of Internet users were on dial-up. Today with ample bandwidth to home users everywhere, hackers have “low hanging fruit” to seek out, meaning they don’t have to go after the harder-to-infiltrate targets of Calce’s hacking days, like servers on university campuses. “Today, they can pick from billions of users,” he said. “Too much bandwidth available is not a good thing.”
And that’s why Calce said he’s chosen to “break his silence” on the subject of his 2000-era exploits.
Today, Calce is still involved in the security game as a white hat hacker, but his own Internet usage habits are those of one who has seen just how fragile the infrastructure is. He said he avoids putting any personal information on Twitter, keeps a low profile on Facebook, and doesn’t use credit or debit cards, much less online banking for fear that the bad guys might be a step ahead.
“I understand the practicality of it – the idea of paying your bills in your underwear is pretty fantastic,” he said. “At least until you realize there was a keylogger on your system.”
In hindsight, Calce told ChannelBuzz.ca it’s mind-boggling that his own much-publicized exploits didn’t result in a larger and more long-term change in the way law enforcement views computer security. “It was a wakeup call to Clinton,” Calce says of the former U.S. president, who once compared Calce’s denial-of-service attacks on major e-commerce sites to a sort of Pearl Harbour moment. “So why are they still sleeping?”
So what can law enforcement do about it? A good start, Calce suggested, would be to engage with “white hat hackers” in undercover operations to infiltrate hackers the same way undercover officers do organized crime organizations. “They set up narcs to do drug busts, so what’s wrong with arming a good hacker to go in there and present as a black hat, shut down a few networks, gain the trust of the leaders and take them down?” he pondered.
The organized crime analogy is increasingly apt, too. Although the security spotlight may have shifted to military- and state-sponsored operations in the light of this year’s Aurora and Stuxnet attacks, Calce said he’s still fascinated by the fact that many of the same people or types of people from whom he learned his trade are still frequenting IRC channels, still engaging in the same kinds of activities. The only thing that’s changed in Calce’s opinion is their motivation.
“There are a few old-schoolers who still do it for pride, but a large percentage of them have made the shift over to hacking for monetary gain,” Calce says with the disdain of someone who clearly did it for the notoriety and because he could. “You’d think the old schoolers would keep the old-school mentality.”
Education is also high on Calce’s agenda for dealing with security threats. While six-year-olds using computers in Calce’s day was more of an anomaly, today it’s commonplace, which has him calling for security education in the schools for much the same reason kids go through sex ed – to make sure they know the consequences of their actions and how to protect themselves from the particularly undesirable ramifications.
Beyond that, Calce told ChannelBuzz.ca there’s a fundamental need for a change in the Internet. Since the current Internet infrastructure dates back to DARPAnet and was intended for more of a closed structure of trusted nodes, Calce said it might be time to architect a network that’s purposely designed for billions of users from billions of different endpoints. And one that’s designed to be a commerce engine rather than a way of exchanging information and ideas.
“If I had the power and the resources to do it, I’d be looking at ways to build a new Internet based on new protocols that are less accessible and less exploitable,” Calce said.
There’s also a fundamental disconnect in Calce’s mind in the software industry, which he feels should put much more of an emphasis on the security inherent in the code it writes. Again, he feels there may be an opportunity for more government leadership, perhaps in the form of a grading system for software, similar to the grades applied to meats and other consumer goods.
“Consumers deserve to know that the product they’re looking at buying got a “C” rating for security,” he said. “They deserve to know what level of security is instilled into this application.”