Mafiaboy grows up; a hacker seeks redemption

Eight years after knocking Yahoo offline, a former teenage hacker is now a legitimate security consultant.

The Internet attack took Yahoo engineers by surprise. It came so fast and with such intensity that Yahoo, then the Web's second most-popular destination, was knocked offline for about three hours.

That was on the morning of Feb. 7, 2000. A few months later, 15 year-old Michael Calce [cq] was watching "Goodfellas" at a friend's house in the suburbs of Montreal when he got a 3 a.m. call on his mobile phone.

His father was on the line. "They're here," he said.

Calce knew right away what that meant. He had already talked to a lawyer after warning his father, weeks earlier, that he'd knocked offline a string of high profile Web sites -- Amazon, Dell, CNN -- and his attacks had been widely covered in the press.

Although the late-night visit by the Royal Canadian Mounted Police was not a surprise, Calce said his mind was racing as he walked out to a street corner to wait for a police cruiser to swing by and arrest him. What was going to happen? Would he go to jail?

Calce, who was known at the time only by his online moniker, Mafiaboy, eventually pled guilty to criminal hacking charges. He served time in a group home where he was allowed to attend school and a part-time job, but was otherwise essentially locked in his room. He couldn't use computers and, isolated from friends and family, he "almost hit a state of depression," he said in an interview this week -- one of his first since his arrest eight years ago.

"It changed me completely," he said of his time in detention. "I started to think about how I could help society rather than be a detriment."

To hear Calce tell it, it's easy to see what got him into the world of criminal hacking: the power.

At nine and a half years old he was knocked offline by someone he'd annoyed while hanging out in an AOL chatroom looking for pirated software. "I was amazed that somebody was able to do that," he said.

Intrigued, he soon learned how to do the same to others, a practice called "punting."

Three years later, when his best friend was killed in a winter car accident, Calce said he became a darker, more isolated kid.

"It definitely fuelled me to not really care about what was going on in the real world," he said.

At 15, he had moved from AOL's chat rooms to the EFnet Internet Relay Chat (IRC) network where he learned some very nasty tricks indeed.

On the day he knocked Yahoo offline, Calce estimates that he had hacked into perhaps 40 percent of the major universities in the United States, using attack code that he picked up online.

His bag of tricks included attacks for Solaris, HP-UX and the Linux operating systems. The BIND (Berkeley Internet Name Domain) software used to manage the Internet's Domain Name System was also a favorite target.

To hit Yahoo, he used a denial of service attack, sending the online portal's Web servers a stream of useless information and forcing them to constantly respond, using up precious network bandwidth.

He took denial of service attack code written by a hacker named Sinkhole and developed a way to remotely train all of his approximately 200 university networks on the same target simultaneously, he said.

Soon Yahoo was offline.

"I really couldn't believe it at first," Calce remembered. "Did I get lucky with that attack, or was my network really that powerful?"

"This is why I continued with my attacks. I thought Yahoo might have been a fluke" he added.

Over at Yahoo, nobody seemed to think that luck was involved.

"It was horrible," said Jeremiah Grossman, [cq] who worked in Yahoo's security department at the time. "It worked quite well; it knocked down one of the most stable sites on the Web."

Grossman, now CTO at White Hat Security, said he still uses Calce's Yahoo attack as a point of reference when he needs to talk about what kind of bandwidth it takes to knock a site offline.

Denial of service attacks may soon be in the news again, security experts say.

Last week researchers Robert Lee [cq] and Jack Louis [cq] of security vendor Outpost24 said they discovered a major flaw in the Internet's TCP/IP protocol that could allow an attacker to take out a major Web site without first building up the massive network of attacking machines that Calce needed for his crimes.

Calce said one thing is certain: Mafiaboy won't be involved in any new computer attacks. Today he works as a legitimate security consultant and he's on a book tour this week, having published a tell-all story documenting his criminal career and offering advice on how people can protect themselves from, well, people like him on the Internet.

He wants to help protect regular computer users, he said, because they've now replaced universities and corporations as the major targets of attack. And, clearly, he wants to dispel the notion that he was a know-nothing "script kiddie" who used other people's software to wreak havoc on the Internet.

"I want to let everybody know that I acknowledge what I did was wrong," he said. "I just want to share my knowledge with people."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?