Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Yahoo Hacker 'Mafiaboy' Eight Years On 183

An anonymous reader writes "Eight years ago Mafiaboy (Michael Calce) knocked Yahoo offline. Today he he works as a legitimate security consultant and has just published a book documenting his criminal career and offering advice on how people can protect themselves from people like him on the Internet."
This discussion has been archived. No new comments can be posted.

Yahoo Hacker 'Mafiaboy' Eight Years On

Comments Filter:
  • But i thought... (Score:2, Interesting)

    by scubamage ( 727538 )
    ...that federal law precludes an ex-con from profiting off of their crimes by doing things like writing books, and making movies? I see no issue with him writing a book on computer security, but how is him writing an account of his criminal actions that got him arrested not a breach of this law? Am I missing something? Not trying to be an armchair lawyer, just interested in why.
    • by Anonymous Coward on Monday October 13, 2008 @08:23AM (#25354323)
      Probably because Canada is not part of the US yet?
      • Re:But i thought... (Score:4, Informative)

        by Anonymous Coward on Monday October 13, 2008 @08:48AM (#25354633)

        It might be flamebait, but it is true. This guy is Canadian, living in Canada. US Federal law ? What about it?
        As to whether he has such a gap in judgement, he was 15 at the time of the hack. Who does not have gaps of judgement at that age?

        • by Yvan256 ( 722131 ) on Monday October 13, 2008 @08:58AM (#25354763) Homepage Journal

          Hell, I'm 93 and I still have gaps of judgement.

          Oh wait, those are gaps of memory.

          Get off my lawn!

        • Re:But i thought... (Score:5, Informative)

          by gary_7vn ( 1193821 ) on Monday October 13, 2008 @09:54AM (#25355497) Homepage
          Here is the loophole. In Canada a young offender's record is expunged after a period of time, after which they are allowed exactly the same rights and privileges as any other Canadian. This protects them from the self-righteous, who would seek to punish them - forever. "...the bill would apply only to accused persons "convicted" of the offence, thus excluding from its reach offenders who were found "not criminally responsible" by reason of a mental disorder or who were "found guilty" as young offenders, or who were granted an absolute or conditional discharge under section 730 of the Criminal Code."
      • Re: (Score:1, Funny)

        by Anonymous Coward

        Probably because Canada is not part of the US yet?

        Got to love how Canadians write a statement... that ends with a question mark.

        • by SuperSlug ( 799739 ) on Monday October 13, 2008 @10:12AM (#25355769)

          Probably because Canada is not part of the US yet?

          Got to love how Canadians write a statement... that ends with a question mark.

          Probably because Canada is not part of the US yet, eh?

          There fixed it for ya.

          • by caluml ( 551744 )

            Probably because Canada is not part of the US yet, eh?

            I'm British, and as such, can't really hear a difference between Canada and the US. However, I am trying to learn, so I can continue to mock those North Americans who can't tell the difference between Australian and Scouse [iana.org]. So, whenever I hear a Canadian speaking, I try to look for things that distinguish. And I can't hear any. 'Specially not any 'eh' at the end of the sentence. Please advise.

      • Re: (Score:3, Funny)

        by Sentry21 ( 8183 )

        Don't worry. Once Phase One is complete and your economy has crashed, we'll start Phase Two. Once we've bought up your economy and banks, your chance to be Canada's fourth territory will commence.

    • Re: (Score:3, Insightful)

      by pegr ( 46683 ) *

      Today he he works as a legitimate security consultant
       
      I believe the problem word here is "legitimate"... If one has that large of a gap in judgement, most "legitimate" employers won't hire you. And that's the way it should be.

      • Re: (Score:1, Insightful)

        by Nerftoe ( 74385 )

        If one has that large of a gap in judgement.. ...When he was 15. Everyone does crazy stuff when they are 15. I know I did. Didn't you?

        • Re: (Score:2, Informative)

          by thermian ( 1267986 )

          If one has that large of a gap in judgement.. ...When he was 15. Everyone does crazy stuff when they are 15. I know I did. Didn't you?

          No.

          • Re:But i thought... (Score:5, Interesting)

            by pegr ( 46683 ) * on Monday October 13, 2008 @09:10AM (#25354883) Homepage Journal

            Even as a teenager, I had a strong self-preservation instinct. I knew the difference between a felony and a misdemeanor.

          • Re:But i thought... (Score:4, Informative)

            by Anonymous Coward on Monday October 13, 2008 @09:12AM (#25354899)

            There are two types of people: people who did crazy shit when they were 15 and

            FUCKING LIARS!!

            • Re: (Score:3, Insightful)

              by gary_7vn ( 1193821 )
              Don't forget unforgiving, robotic cowards. Robocop was a movie, not a manual.
            • Re: (Score:2, Informative)

              by Probie ( 1353495 )
              zing!
            • I get mod points 6 days out of 7, and today by some rift in the time-space /. continuum, I have none.

              +99 Truthiness

        • Re: (Score:3, Insightful)

          by dfghjk ( 711126 )

          It's natural to excuse your own behavior by claiming everyone else does it too. Doesn't make it true.

          No, not everyone does "crazy stuff" when they are 15. Many know better.

        • I wonder how many 15 yr olds see high-profile hacking felonies as their golden ticket into the "legitimate security consultant," career path? Is this the best way to get street cred as a consultant?
        • There's a world of difference between staying out after curfew or getting drunk enough to throw up on your dad when he confronts you as you try to sneak in through the patio door, and knocking a major Web portal offline. Any 15 year old should understand the difference between those two, let alone a 30 year old pining for when he was 15.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Common misconception.
      1. Most laws regarding this are state laws.
      2. Reading from wikipedia, most of these laws don't hold up.

      http://en.wikipedia.org/wiki/Son_of_sam_laws [wikipedia.org]

         

    • by penguin_dance ( 536599 ) on Monday October 13, 2008 @10:15AM (#25355839)

      While the rest of us were going to college, this guy had the formula to quick success.

      Hack into large company web sites
      Get a slap on the wrist
      Become a reformed hacker/security expert
      Write book on exploits
      $PROFIT!

  • WARNING! (Score:5, Funny)

    by Anonymous Coward on Monday October 13, 2008 @08:20AM (#25354279)

    I bought this book, but it intentionally contained too many pages and overflowed my bookcase. It fell off the end, and gave my cat a fatal error. While I was in the back garden burying Muffins, he sneaked into my house and stole all my stuff!

  • "Today he he works". It happens from time to time
  • Headline at the moment is "Yahooo Hacker 'Mafiaboy' Eight Years On Posted by CmdrTaco on Mon Oct 13, '08 09:15 PM"
  • by Anonymous Coward

    Sounds like he paid for his crime...

    Oh wait. He is being paid for his crime?

    WTF

  • by tecopa03 ( 1086983 ) on Monday October 13, 2008 @08:32AM (#25354419)
    Oh lord.

    Chapter two, "I installed the win32 exe called 'zombie', next I clicked on the Dee DOS button and took out CNN"
  • Proof that crime really *does* pay.
    • Re: (Score:2, Insightful)

      by zappepcs ( 820751 )

      Actually, crime does pay... until you get caught. And according to the US justice and political system, if you have made the right friends and spent some of your money in the right places (campaigns) then even if you do get caught, crime continues to pay. Just remember to forget how many houses you have.

      Yeah, go ahead, mark this troll, but it's true.

  • Do people here feel comfortable buying books by crooks?
  • I don't see what makes him any more insightful in this area, aside from some ancient history. Looking at the domain mafiaboy.com I wouldn't expect much of anything from this book.

    As for advising the masses in how to stay safe, the rules are so basic for everyday users that I doubt a security consultant could offer anything considerably insightful:

    1) Don't run files whose source you don't trust
    2) Read prompts before clicking yes, default answer should be no unless you specifically understand what it's talk

    • Re:Why? (Score:5, Interesting)

      by onion2k ( 203094 ) on Monday October 13, 2008 @08:55AM (#25354721) Homepage

      6) Ask your techie friend/relative about switching to Linux, and you can almost completely cross 1, 4, and 5 off this list

      Err... no. Assuming you're running Linux (or OSX, BSD, whatever) 1, 4 and 5 still apply just as much as they do on Windows.

      1) Don't run files whose source you don't trust

      Binaries can be dangerous on Linux, especially if you're a newbie user who runs things as root (and we are talking about newbies here remember). Even compiling your own apps can be dangerous if the source of the source isn't trustworthy.

      4) Avoid going to domains you aren't familiar with, as they could contain exploits which can bot your machine without any interaction - stick to reputable sources of information

      You're not going to be running into self-installing ActiveX malware, but you're in just as much danger from phishing, XSS or browser exploit hacks.

      5) Keep your AV and Firewall up to date

      The firewall issue is obvious. You need one even on a Linux PC. Maybe moreso even because Linux often comes with a raft of server and daemon stuff that Windows doesn't. AV is more contentious - but if you're using the computer for anything important, eg work related, and you don't want to pass viruses on to clients then AV is still a useful tool. I'm certain that me passing on a virus to a client would do more damage to my business than actually having my computer affected by one itself.

      Your operating system is never enough for you to take a liaise faire attitude to security regardless of what you're running.

      • Agreed to a point, however your extending my stance beyond where I intended it to reach. "Almost" is a big operative word here. Here are my reasonings for my statement, in hopes it may make more sense. In no way was my statement meant to say you can forget about security altogether, and I stand by it being accurate. 1) There's a completely different paradigm to Linux than there is to Windows. If your using Linux correctly as a newbie user, your installing apps from repository and they are all approved
      • Maybe moreso even because Linux often comes with a raft of server and daemon stuff that Windows doesn't.

        Um, while pretty much all distros have a raft of daemons available, I'd highly recommend you don't install one that installs and starts them on a desktop install. Unless you tell it to, of course. Debian policy is no network listening services on a base install, and that's a good one, IMO.

    • by Kokuyo ( 549451 )

      4) Avoid going to domains you aren't familiar with, as they could contain exploits which can bot your machine without any interaction - stick to reputable sources of information

      How would one realistically do that? Since I wouldn't dare claim I knew every place on the net that I'll ever need, how can you go to only trusted domains when searching for information?

      • The same way you would do so at the library?

        Find a reputable primary source, then follow sources that they cite. For example, if your doing research start with a reputable journal such as the Harvard Business Review, then refer to sources they cite for further detail. More generically, start at CNN.com or wikipedia or some other "large brand" of website, and use it for direction before clicking on any link that comes off google.

        By no means a full proof or robust approach, but its a good start. This assum

      • It's easy just stick to Yahoo! LOL
    • Comment removed based on user account deletion
  • Not worth the time (Score:5, Insightful)

    by Sun.Jedi ( 1280674 ) on Monday October 13, 2008 @08:41AM (#25354559) Journal

    The excerpt [mafiaboybook.com] reads like a pre-teen love story.

    I downloaded and then I pressed enter
    I installed and then I was online

    And thats chapter 5, what the hell does he write about (being all of 9 years old) for the first 4 chapters?

    This won't qualify as proper fish wrapping.

    • I guess, not surprisingly, he was just a script kiddie - he downloaded hacks and ran them and thought he was a cool 133t h4x0r.

      Doesn't say much for Yahoo if they hadn't protected themselves from known exploits, although I assume they learnt from the lesson.

  • by information_retrieva ( 1058952 ) on Monday October 13, 2008 @09:02AM (#25354801)
    I always want to ask one of these reformed hackers what, if anything, would have deterred them when they were first getting started. Does anyone know if this book attempts to answer that sort of question?
    • Well, assuming you posed the question to me (I was convicted of telephone fraud (phreaking) once, and discharged without conviction on charges of breaches of the telecommunications act (unlawful entry to a computer system that wasn't my own (a bank))), I would have to answer as follows:

      There is almost nothing you could have done to deter me from those actions. I felt as if I was a part of a "wild frontier", and had control and abilities that very few others possessed (and, I was probably right). The feeling was that of real power - something that most people in their very early teens (when I was arrested for the crimes mentioned) don't often get a lot of... especially as the "geeky kid" at school who got picked on all the time (this was the early 90s in small town New Zealand - not the best place for a geek). Trying to convince anyone to willingly give up that sense of "worth" without getting something equal in return is pretty much impossible.
      It's also worth noting that I was caught twice, for what was hundreds, if not thousands, of criminal activities. I still felt pretty bulletproof (especially after the "discharge without conviction" for the bank crack)

      I made my mistakes, but honestly, I don't regret it even to this day - my current work has nothing to do with security, although I still keep up in those circles and like to hone my skills against my own systems. But, I've also never had any negative consequences other than the court imposed penalty for the phreaking (which was surprisingly minor - especially in relation to the police recommendation). If a kid were to come to me today and ask if he/she should do it, my answer would be that they should do what they feel is right and accept the consequences if they do something illegal and get caught at it. I'm not 100% sure that even means I would try to discourage them...

      Of course, I was a cracker and a phreaker... not a script kiddie. "Mafiaboy" may be a little different.

      • Deterence... (Score:1, Flamebait)

        by way2trivial ( 601132 )

        There is almost nothing you could have done to deter me from those actions.

        What if the month before a vigilante group of Yahoo fanpunks had made Michael Calce swallow his own testicles and released the video on You Tube?

        would you still have been as willing to phreak then?

        • Well no, but I did say "almost nothing"...
          Besides - YouTube didn't exist in the early 90s when I was doing that sort of thing.
      • Re: (Score:2, Insightful)

        by timholman ( 71886 )

        I felt as if I was a part of a "wild frontier", and had control and abilities that very few others possessed (and, I was probably right).

        No, actually you were wrong. There are many, many bright people who have the ability to do what you did - far more than you realize. The difference was that they had something that you lacked - the moral judgment not to go breaking into other people's systems, and instead to do something productive with their abilities.

        It's like a bunch of teenaged burglars thinking the

        • Re: (Score:3, Interesting)

          There are many, many bright people who have the ability to do what you did - far more than you realize.

          Hmmm... as I mentioned, I lived in small town New Zealand, and it was the early 90s. I really don't think there were too many other people around with the same skills that I had. Now, you then said:

          But the truth is that almost anyone can become a burglar, provided they choose to do so (emphasis mine)

          I never said others couldn't BECOME able to do what I did, simply that very few others actually possessed the required skills. In the early 90s, computer crime wasn't the "cool" thing that it had become after the web explosion in the mid to late 90s. It wasn't unheard of, and was gaining popularity (see movie

      • by corbettw ( 214229 ) on Monday October 13, 2008 @11:09AM (#25356759) Journal

        There is almost nothing you could have done to deter me from those actions. I felt as if I was a part of a "wild frontier", and had control and abilities that very few others possessed (and, I was probably right). The feeling was that of real power - something that most people in their very early teens (when I was arrested for the crimes mentioned) don't often get a lot of... especially as the "geeky kid" at school who got picked on all the time (this was the early 90s in small town New Zealand - not the best place for a geek). Trying to convince anyone to willingly give up that sense of "worth" without getting something equal in return is pretty much impossible.

        To distill down your stated motivations, you were seeking power and a form of acceptance. Not much different from most young criminals, really. And the same thing could've motivated you not to do it as does motivate them: friends who value you without requiring that you break laws.

        This is why it's so important to get young kids involved in after school activities and clubs. Sure, you might not have been interested in joining a youth soccer league, but what about a chess club? Or a gaming group? Basically, anywhere where you can make friends (in real life) and get positive feedback and acceptance. If you had had those, would you still have felt the need to break into banks?

        • To distill down your stated motivations, you were seeking power and a form of acceptance.

          Primarily the former rather than the latter... you can't really have "power" (over people) without at least some kind of acceptance, but the acceptance was definitely a secondary thing to the power. It's a pretty natural human desire to have power over others, and the school bullies would assert theirs physically, while the "general geeks" would sit back and know that they'd be asserting theirs later in life. For me, it wasn't really enough. It's not that I wanted/needed/deserved more power than anyone else, it's just that one day I found a means that gave me a more ultimate kind of power - power over the "almighty" adults. At that age, I had the typical rebellious streak of the younger teenage years, and I had found an outlet for it.

          Sure, you might not have been interested in joining a youth soccer league, but what about a chess club? Or a gaming group? Basically, anywhere where you can make friends (in real life) and get positive feedback and acceptance. If you had had those, would you still have felt the need to break into banks?

          I was in the chess club, maths competition team, and on the school newspaper (I became editor of it eventually)... none really did anything to stop me wanting to break in to banks. If you compare them, "broke in to bank" is a hell of a lot "cooler" at that age than "first prize in maths competition", "wrote well appreciated article" or "considered by peers to be really good at chess".

          The school staff (teachers, guidance counsellor, principal etc) worshipped the ground I walked on - I could do no wrong in their eyes. My peers (geeks) respected me and looked up to me (head of that 'clique' basically), but that wasn't enough. I viewed the school staff as incompetent and unaware (how could they write reports saying "studies hard", when I didn't study a day in my life?) and my peers as slimy and greasing ("they just want to be me" (I almost certainly misconstrued their intentions - I was a cynical little bastard really)). I didn't just want to be respected - I wanted to be ADMIRED, FEARED and LOVED.
          (again, PLEASE remember this is how I thought at that age - I've grown up now, and I do realise how petty and crappy those attitudes are... but I also think they're pretty common amongst people at that age)

          Honestly, another factor in how I viewed the activity (rather than the reasons for it) may have been my upbringing. I was raised to question authority when that authority was not backed up with reason. So, the idea of "breaking a law" didn't have a huge negative stigma attached to it for me. I knew it was wrong in the eyes of the law, but I considered (and still consider to be quite honest) those who uphold the law with no regard for the reasons behind it to be very foolish indeed - nothing more than sheep to the system. Whenever my parents told me to do something, they'd ALWAYS give me a reason why. Teachers at school were happy to do the same as long as I was polite about it, which I always was ("Go take this to Mr Smith", "Why?", "Because he needs it, and you can miss a few minutes of class without falling behind", "Okay").
          Breaking in to a bank just didn't feel wrong to me. I didn't steal money, I didn't harm anyone, I just looked around. Remember, from the eyes of a young teen, this is a pretty straightforward kind of argument - you don't really appreciate the many facets of things like that until you're much older. It's a matter of maturity, and while I certainly may have been a very smart kid, I was definitely NOT mature enough to really handle my knowledge.

          Just as a side note - it eventually led me to a rather difficult point in my life in my late teenage years, where I was arrested, hired an extremely good lawyer, got off with only a fine, paid that, found out the lawyer was charging me more than three times what the fine was, cracked in to her system to ma

          • by Eythian ( 552130 )

            and my peers as slimy and greasing ("they just want to be me" (I almost certainly misconstrued their intentions - I was a cynical little bastard really))

            *cough* 'almost'?! :)

            • Hah... I was wondering if you'd read all that ;) Ah the perils of the people I'm talking about having Slashdot accounts!

              But hey, to be completely honest, maybe I was RIGHT when I was a "cynical little bastard" and I've just become wrong in my old age... one can never really KNOW, can one?
              • by Eythian ( 552130 )

                But hey, to be completely honest, maybe I was RIGHT when I was a "cynical little bastard" and I've just become wrong in my old age... one can never really KNOW, can one?

                I like to think I know. Even if it was long enough ago that my memory is sorta hazy :)

          • So really your problem was more about a lack of morals and (possibly) empathy than anything else. It sounds like you've learned some over the years, so that's good. But this is an example of why it's a bad idea to teach young kids to always question authority: they don't have enough experience yet to know when to question things, and what questions to ask in the first place.

            Questioning authority is something you should learn after high school, when you're old enough to also understand the consequences of yo

        • This is why it's so important to get young kids involved in after school activities and clubs.

          Careful though. My parents forced me to join every club and sport possible, so I had 0 freetime. By the time I hit senior year I was so burned out from all that garbage I didn't go to college. And still haven't. And life now sucks.

          • Sorry to hear that life sucks, but if I were you, I wouldn't attribute it entirely to "not going to college". As a result of the way my life went after the activities that I described in this thread, I also never went to any kind of "higher education" (actually, a started a Polytechnic course, but got expelled for fixing a bug in a tutor's program that was in a folder I shouldn't have had access to), and my life has turned out pretty well.

            My advice, if you're finding it hard to get work based on your lack

            • My advice, if you're finding it hard to get work based on your lack of education is to work for yourself for awhile.

              That, and volunteer with non-profits. They're usually not as picky about background and education as paying employers/clients. And once you've proved yourself to the board of that non-profit, they should be able to refer to paying gigs and a real job.

    • by Inda ( 580031 )
      I used to be a naughty boy in my youth and early twenties. I sometimes discuss my criminal exploits during those late night wine drinking sessions, often with family, sometimes with an ex-copper who always offers some great insight.

      "You never get caught the first time"

      If people got caught the first time, we'd live in an almost crime free world. The risk of getting caught would be 100% and only crimes of desperation would be undertaken.

      So, not wanting to get too deep, and just wanted to answer your question,
  • excerpts.... (Score:5, Insightful)

    by apodyopsis ( 1048476 ) on Monday October 13, 2008 @09:07AM (#25354859)
    from the except http://mafiaboybook.com/about-the-book/ [mafiaboybook.com] from the book...

    "I had heard you could download versions of even the most popular games for free. This was a type of "warez"--pirated software."

    "I realized it was a common occurrence and that it was called punting. Someone knocked me offline by hitting me with so much data that my connection was severed. These punters seemed to have a huge amount of power over others on AOL."

    "I wanted to punt someone. Badly. That's when my real hunt for AOL hacking tools started."

    "I slowly learned how things worked. I eventually began to modify the applications to meet my needs. This is how kiddies become hackers."

    Jesus H Christ! People buy this crap?

    One thing is for certain, the target audience is not to be found on /., though I predict we will all get a good laugh off it.

  • Script kiddie (Score:5, Interesting)

    by LizardKing ( 5245 ) on Monday October 13, 2008 @09:11AM (#25354893)
    Frankly, I'm not surprised that a script kiddie (which is all Mafia boy was) could take Yahoo! down back in 2000. I worked there in 1999 for four or five months, and left in disgust at how poor their engineering was. On my first day I fixed a bug where user input was being used as a format string. This in C code that was written by a "veteran" coder, who clearly couldn't write anything maintainable. There was no documentation (I'm not exaggerating), designs were communicate verbally, hacked together and then forgotten. There was not project management as such, and no middle management - seniority was based simply on who had been there the longest. While this "hacker ethos", of which Yahoo! employees were inordinately proud, may have worked when it was two guys working from a trailer but it was disastrous in a large, international development team.
  • by hkb ( 777908 ) on Monday October 13, 2008 @09:26AM (#25355061)

    It should be noted by those of us who still vividly remember, that Mafiaboy and YTcracker were relatively skill-less script kiddies, not hackers. Back then, at least.

  • Does this now make him, Mafiaman?
    • by whoppo ( 218875 ) *

      Does this now make him, Mafiaman?

      No.. he has been, and always will be "MafiaBitch" a whiny little brat who downloaded someone else's work to DoS some other whiny little brats.. and then he simply found bigger targets.. and now he's a fscking celebrity. I suppose that if I had been busted for shoplifting that Snickers (tm) bar when I was 15 years old, I could have turned that into a lucrative career in physical retail security and written a book... perhaps I could have titled it "Snatching Snacks" (followed by the pr0n version: "Snackin

  • How exactly does the transformation from a script kiddie to a security EXPERT happen?

    A book on that, I'd pay to read. I'm a sucker for case sturies on business mistakes.

  • He was a script kiddy, not a hacker. That's about it. And no, he's not any better today.
  • It seems like that is the way to have a good career in IT security - either get arrested for "cyber crime" or carry out famous (or infamous) exploits in your younger years and then reform or be released and get paid to do exactly the same thing on behalf of corporations.

    It makes sense. You can't learn this stuff by reading books, you need real world situations to hone your skills.

    It is interesting that illegal acts committed in your teens can lead to a good "legitimate" job in the same area. If it worked th

  • I was always a nice guy, and used my intellectual superpowers for the greater good.

    What a sucker I was. I should have turned to crime, taken my lumps, and then profited from tales of my crimes.

    Remember, boys and girls, everything your parents and teachers tell you about good behavior is wrong.

    The good guys watch their retirement investments get raped bloody.

    The bullies and bad guys get pardoned and bailed out with golden parachutes.

    Welcome to the steaming mountain of rat shit we call civilization, kiddo.

  • here's an interview of mafiaboy on a Canadian tv programme called The Hour [youtube.com].

    cheers

  • Who else here remembers Bill Landreth's book?

    Not that I don't believe this should be written about... quite the opposite, actually, as the technology and surrounding social and technological environment had changed quite a bit in the intervening decades.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...