Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Hacker 'Mafiaboy' Eight Years On

Posted by CmdrTaco on from the cashing-in-on-your-crimes dept.

An anonymous reader writes "Eight years ago Mafiaboy (Michael Calce) knocked Yahoo offline. Today he he works as a legitimate security consultant and has just published a book documenting his criminal career and offering advice on how people can protect themselves from people like him on the Internet."

11 of 183 comments (clear)

  1. But i thought... by scubamage · · Score: 2, Interesting

    ...that federal law precludes an ex-con from profiting off of their crimes by doing things like writing books, and making movies? I see no issue with him writing a book on computer security, but how is him writing an account of his criminal actions that got him arrested not a breach of this law? Am I missing something? Not trying to be an armchair lawyer, just interested in why.

    1. Re:But i thought... by pegr · · Score: 4, Interesting

      Even as a teenager, I had a strong self-preservation instinct. I knew the difference between a felony and a misdemeanor.

  2. Words of Wisdom from a Script Kiddie by tecopa03 · · Score: 5, Interesting

    Oh lord.

    Chapter two, "I installed the win32 exe called 'zombie', next I clicked on the Dee DOS button and took out CNN"

  3. Re:Why? by onion2k · · Score: 4, Interesting

    6) Ask your techie friend/relative about switching to Linux, and you can almost completely cross 1, 4, and 5 off this list

    Err... no. Assuming you're running Linux (or OSX, BSD, whatever) 1, 4 and 5 still apply just as much as they do on Windows.

    1) Don't run files whose source you don't trust

    Binaries can be dangerous on Linux, especially if you're a newbie user who runs things as root (and we are talking about newbies here remember). Even compiling your own apps can be dangerous if the source of the source isn't trustworthy.

    4) Avoid going to domains you aren't familiar with, as they could contain exploits which can bot your machine without any interaction - stick to reputable sources of information

    You're not going to be running into self-installing ActiveX malware, but you're in just as much danger from phishing, XSS or browser exploit hacks.

    5) Keep your AV and Firewall up to date

    The firewall issue is obvious. You need one even on a Linux PC. Maybe moreso even because Linux often comes with a raft of server and daemon stuff that Windows doesn't. AV is more contentious - but if you're using the computer for anything important, eg work related, and you don't want to pass viruses on to clients then AV is still a useful tool. I'm certain that me passing on a virus to a client would do more damage to my business than actually having my computer affected by one itself.

    Your operating system is never enough for you to take a liaise faire attitude to security regardless of what you're running.

    --
    http://twitter.com/onion2k
  4. What I always wanted to ask... by information_retrieva · · Score: 4, Interesting

    I always want to ask one of these reformed hackers what, if anything, would have deterred them when they were first getting started. Does anyone know if this book attempts to answer that sort of question?

    1. Re:What I always wanted to ask... by YttriumOxide · · Score: 4, Interesting

      Well, assuming you posed the question to me (I was convicted of telephone fraud (phreaking) once, and discharged without conviction on charges of breaches of the telecommunications act (unlawful entry to a computer system that wasn't my own (a bank))), I would have to answer as follows:

      There is almost nothing you could have done to deter me from those actions. I felt as if I was a part of a "wild frontier", and had control and abilities that very few others possessed (and, I was probably right). The feeling was that of real power - something that most people in their very early teens (when I was arrested for the crimes mentioned) don't often get a lot of... especially as the "geeky kid" at school who got picked on all the time (this was the early 90s in small town New Zealand - not the best place for a geek). Trying to convince anyone to willingly give up that sense of "worth" without getting something equal in return is pretty much impossible.
      It's also worth noting that I was caught twice, for what was hundreds, if not thousands, of criminal activities. I still felt pretty bulletproof (especially after the "discharge without conviction" for the bank crack)

      I made my mistakes, but honestly, I don't regret it even to this day - my current work has nothing to do with security, although I still keep up in those circles and like to hone my skills against my own systems. But, I've also never had any negative consequences other than the court imposed penalty for the phreaking (which was surprisingly minor - especially in relation to the police recommendation). If a kid were to come to me today and ask if he/she should do it, my answer would be that they should do what they feel is right and accept the consequences if they do something illegal and get caught at it. I'm not 100% sure that even means I would try to discourage them...

      Of course, I was a cracker and a phreaker... not a script kiddie. "Mafiaboy" may be a little different.

      --
      My book about LSD and Self-Discovery
      Also on facebook as: DroppingAcidDaleBewan
    2. Re:What I always wanted to ask... by YttriumOxide · · Score: 2, Interesting

      There are many, many bright people who have the ability to do what you did - far more than you realize.

      Hmmm... as I mentioned, I lived in small town New Zealand, and it was the early 90s. I really don't think there were too many other people around with the same skills that I had. Now, you then said:

      But the truth is that almost anyone can become a burglar, provided they choose to do so (emphasis mine)

      I never said others couldn't BECOME able to do what I did, simply that very few others actually possessed the required skills. In the early 90s, computer crime wasn't the "cool" thing that it had become after the web explosion in the mid to late 90s. It wasn't unheard of, and was gaining popularity (see movies such as War Games from nearly 10 years earlier), however it was still pretty quiet in general. Compounded with my location, I can be pretty certain I knew everyone locally who could do such things - and that wasn't exactly a lot of people.

      The difference was that they had something that you lacked - the moral judgment not to go breaking into other people's systems, and instead to do something productive with their abilities.

      That is perhaps true - there may well have been others who COULD do it, but didn't, but I think that's pretty unlikely (especially if we're limiting the sample set to people my age at the time), as the only real way to gain those skills was to either actually do it, or study it specifically. Why anyone would study it without doing it, as a young teenager, I couldn't imagine.

      Note that I never said "noone", I said "very few", and as a percentage of the population of Earth, I'm pretty positive that stands as true. As a percentage of people my age, or people in my town, I'm completely certain.

      --
      My book about LSD and Self-Discovery
      Also on facebook as: DroppingAcidDaleBewan
    3. Re:What I always wanted to ask... by corbettw · · Score: 3, Interesting

      There is almost nothing you could have done to deter me from those actions. I felt as if I was a part of a "wild frontier", and had control and abilities that very few others possessed (and, I was probably right). The feeling was that of real power - something that most people in their very early teens (when I was arrested for the crimes mentioned) don't often get a lot of... especially as the "geeky kid" at school who got picked on all the time (this was the early 90s in small town New Zealand - not the best place for a geek). Trying to convince anyone to willingly give up that sense of "worth" without getting something equal in return is pretty much impossible.

      To distill down your stated motivations, you were seeking power and a form of acceptance. Not much different from most young criminals, really. And the same thing could've motivated you not to do it as does motivate them: friends who value you without requiring that you break laws.

      This is why it's so important to get young kids involved in after school activities and clubs. Sure, you might not have been interested in joining a youth soccer league, but what about a chess club? Or a gaming group? Basically, anywhere where you can make friends (in real life) and get positive feedback and acceptance. If you had had those, would you still have felt the need to break into banks?

      --
      God invented whiskey so the Irish would not rule the world.
    4. Re:What I always wanted to ask... by YttriumOxide · · Score: 3, Interesting

      To distill down your stated motivations, you were seeking power and a form of acceptance.

      Primarily the former rather than the latter... you can't really have "power" (over people) without at least some kind of acceptance, but the acceptance was definitely a secondary thing to the power. It's a pretty natural human desire to have power over others, and the school bullies would assert theirs physically, while the "general geeks" would sit back and know that they'd be asserting theirs later in life. For me, it wasn't really enough. It's not that I wanted/needed/deserved more power than anyone else, it's just that one day I found a means that gave me a more ultimate kind of power - power over the "almighty" adults. At that age, I had the typical rebellious streak of the younger teenage years, and I had found an outlet for it.

      Sure, you might not have been interested in joining a youth soccer league, but what about a chess club? Or a gaming group? Basically, anywhere where you can make friends (in real life) and get positive feedback and acceptance. If you had had those, would you still have felt the need to break into banks?

      I was in the chess club, maths competition team, and on the school newspaper (I became editor of it eventually)... none really did anything to stop me wanting to break in to banks. If you compare them, "broke in to bank" is a hell of a lot "cooler" at that age than "first prize in maths competition", "wrote well appreciated article" or "considered by peers to be really good at chess".

      The school staff (teachers, guidance counsellor, principal etc) worshipped the ground I walked on - I could do no wrong in their eyes. My peers (geeks) respected me and looked up to me (head of that 'clique' basically), but that wasn't enough. I viewed the school staff as incompetent and unaware (how could they write reports saying "studies hard", when I didn't study a day in my life?) and my peers as slimy and greasing ("they just want to be me" (I almost certainly misconstrued their intentions - I was a cynical little bastard really)). I didn't just want to be respected - I wanted to be ADMIRED, FEARED and LOVED.
      (again, PLEASE remember this is how I thought at that age - I've grown up now, and I do realise how petty and crappy those attitudes are... but I also think they're pretty common amongst people at that age)

      Honestly, another factor in how I viewed the activity (rather than the reasons for it) may have been my upbringing. I was raised to question authority when that authority was not backed up with reason. So, the idea of "breaking a law" didn't have a huge negative stigma attached to it for me. I knew it was wrong in the eyes of the law, but I considered (and still consider to be quite honest) those who uphold the law with no regard for the reasons behind it to be very foolish indeed - nothing more than sheep to the system. Whenever my parents told me to do something, they'd ALWAYS give me a reason why. Teachers at school were happy to do the same as long as I was polite about it, which I always was ("Go take this to Mr Smith", "Why?", "Because he needs it, and you can miss a few minutes of class without falling behind", "Okay").
      Breaking in to a bank just didn't feel wrong to me. I didn't steal money, I didn't harm anyone, I just looked around. Remember, from the eyes of a young teen, this is a pretty straightforward kind of argument - you don't really appreciate the many facets of things like that until you're much older. It's a matter of maturity, and while I certainly may have been a very smart kid, I was definitely NOT mature enough to really handle my knowledge.

      Just as a side note - it eventually led me to a rather difficult point in my life in my late teenage years, where I was arrested, hired an extremely good lawyer, got off with only a fine, paid that, found out the lawyer was charging me more than three times what the fine was, cracked in to her system to ma

      --
      My book about LSD and Self-Discovery
      Also on facebook as: DroppingAcidDaleBewan
  5. Script kiddie by LizardKing · · Score: 4, Interesting

    Frankly, I'm not surprised that a script kiddie (which is all Mafia boy was) could take Yahoo! down back in 2000. I worked there in 1999 for four or five months, and left in disgust at how poor their engineering was. On my first day I fixed a bug where user input was being used as a format string. This in C code that was written by a "veteran" coder, who clearly couldn't write anything maintainable. There was no documentation (I'm not exaggerating), designs were communicate verbally, hacked together and then forgotten. There was not project management as such, and no middle management - seniority was based simply on who had been there the longest. While this "hacker ethos", of which Yahoo! employees were inordinately proud, may have worked when it was two guys working from a trailer but it was disastrous in a large, international development team.

  6. Why did I go to college? by penguin_dance · · Score: 4, Interesting

    While the rest of us were going to college, this guy had the formula to quick success.

    Hack into large company web sites
    Get a slap on the wrist
    Become a reformed hacker/security expert
    Write book on exploits
    $PROFIT!

    --
    If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!