CRACKING
- the story of Mafiaboy
- copied from the National Post site in May 2002
this page last updated 2002 May 25th
| HACKING &
CRACKING - the story of Mafiaboy - copied from the National Post site in May 2002 this page last updated 2002 May 25th |
|
Dan Verton
National Post
As the technology bubble neared its bursting point in 2000, a 14-year-old
Montrealer calling himself
Mafiaboy disabled much of the Internet economy, alarming the White House
and the financial markets. He is
a leading character in The Hacker Diaries, a book by Dan Verton, an investigative
reporter with
Computerworld in Washington. Was Mafiaboy a genius? Was he normal? And
why that name?
- - -
Shortly after 12 o'clock on Tuesday, June 8, 1999, students at Sisters
High School in Sisters, Ore., ran down
the hall looking for Jon Renner. They found him in a classroom teaching
a social studies class.
"One of the servers crashed," a student said, peeking his head through
the door to the classroom. "None of
us can get to our files or our personal Web pages."
Renner, who also served as the school's technology co-ordinator, wasn't
particularly concerned by the news
of the crash. The system had gone down before, and it was usually just
a matter of making minor tweaks to
restore operations. But there was something in the sounds of the kids'
voices this time, a look on one of their
faces maybe, that told him he should go have a look right away. After all,
the server they were talking about
wasn't your typical high school network server. This one powered a legitimate
business enterprise.
It all started five years earlier. Renner, with the assistance of a $50,000
grant from a local businessman, had
helped the school set up a student-run Internet service provider (ISP)
network. The ISP was called
Outlawnet, Inc., after the Sisters High School nickname, the Outlaws. It
was a small operation, designed to
help pay for Internet access for the school district's 500 students. The
ISP had grown to the point where it
was now serving more than 1,000 local residents and business customers
in the towns of Sisters, Black Butte
and Camp Sherman. A group of 22 students helped run the company, developing
Web pages, installing
software for clients and managing accounts. Each year, a new Outlawnet
class was selected, providing dozens
of students with valuable real-world experience in the computer industry.
There was much to be proud of.
But on this day, that sense of pride and hope was replaced with fear. In
a few minutes, Renner and another
technician realized what had happened to their server was no glitch. There
was nothing routine about what
they had found.
A computer hacker had gnawed his way into the Outlawnet server. A vulnerable
password had allowed the
intruder to establish a shell account and inject himself into the network.
The main Unix server had been obliterated and was inaccessible. The maintenance
programs that were
reserved for use by the technicians were gone. More than 3,000 files had
been deleted. Dozens of user
accounts had vanished as well. The intruder had installed a sniffer program
designed to capture insecure
passwords and a mail relay system, effectively turning Outlawnet into a
free e-mail relay station. Soon
telephone calls began pouring in from anxious customers who were worried
about the impact of the virtual
blackout on their businesses. This was a serious incident that required
an immediate phone call to the local
police.
The case was quickly passed to the Portland field office of the FBI. The
Bureau's response was instantaneous.
Outlawnet was a small-town ISP, but as far as the FBI was concerned, this
was a crime with far-reaching
implications. Launching a denial-of-service attack was a felony that could
land you in prison.
The FBI tracked down a U.S. suspect by examining the system logs provided
by Renner. However, he turned
out to be a legitimate business owner whose systems had been compromised
and used as part of the attack
on Outlawnet.
After answering a barrage of questions, the businessman handed the FBI
agents a system log file containing
an Internet protocol (IP) address. IP addresses are a series of numbers
that act like street addresses for
computers on the Internet. In this case, the address allegedly belonged
to the computer that had infiltrated
the local businessman's system and then attacked Outlawnet.
Though it was possible for hackers to fool another computer into thinking
a message came from an
authorized IP address -- a tactic known as spoofing -- the FBI agents knew
if they acted fast enough, they
would eventually find a link that would lead them to the real culprit.
In this case, the first good lead was
pointing to Sprint Canada.
- - -
Marc Gosselin had been with the computer crime squad of the RCMP in Montreal
for about three years when
the FBI called and told him they had traced a hacker incident in the U.S.
back to an Internet account in
Canada. According to the FBI, the hacker had taken down an ISP in Oregon
using a high-speed digital
subscriber line (DSL) account in Ohio they had traced across the border
to Gosselin's neck of the woods. It
was December, 1999.
At first glance, this seemed like a slam-dunk case. Gosselin was a 20-year
veteran investigator for the RCMP.
He had spent four of those years as a SWAT team member and the rest of
the time doing old-fashioned
detective work and handling counter-drug operations, fraud investigations
and criminal intelligence analysis.
Canadian law is just as tough on hackers as the U.S. legal system. Unauthorized
use of a computer can land a hacker in jail for up to 10
years. In addition, destroying and altering data, known in Canadian law
as "mischief to data," and obtaining passwords to fraudulently gain
access to a computer also carry stiff 10-year sentences.
The first step in Gosselin's playbook was to obtain a search warrant for
Sprint Canada. With the help of Sprint, Gosselin uncovered several
e-mail aliases that belonged to an account at Delphi Supernet, an ISP in
the Montreal area. But the account had been terminated a year
earlier due to suspicion of hacking, a violation of the ISP's acceptable-use
policy.
But even with account information, there was no way to tell for sure who
was sitting in front of the computer at the time of the Outlawnet
attack. And moving in too fast could blow any future case Gosselin might
be able to make against the hacker, whom he presumed was a
minor, based on his experience. But there were tens of thousands of teenage
boys in the Montreal area who probably had the skill to
conduct such an attack. And the evidence was thin. For the time being,
Gosselin didn't have the proof that would enable him to get what he
really needed, which was a wiretap.
Gosselin had narrowed down the source of the attack to a house in an upscale neighbourhood in the West Island of Montreal.
The owner was the president and owner of a company and was on his second
marriage. According to neighbours, he was a brash loudmouth
who liked to sit in front of his house in a sweatsuit yelling and cursing
into a cellphone. He didn't pay much attention to his three sons, two of
whom were brothers and the other a stepbrother from the second marriage.
The oldest brother was 17 and an aspiring actor who had landed
an acting job in a local television show. Little was known about the stepbrother.
But the youngest boy loved to play basketball. When he
wasn't playing on the court at his house, he could be found playing guard
for a local kids team. When he wasn't in the mood for basketball,
he helped neighbours and friends wash their cars. To many who knew him,
there was nothing odd about him. He was a normal kid.
The young basketball player also loved computers. In 1998, when the two
Delphi Supernet accounts linked to his residence were shut down
due to suspicion of hacking, the young boy was only 12 years old. Gosselin
later suspected the boy had learned about hacking from one of
his older brothers.
The 14-year-old boy who liked basketball and girls would soon capture the
attention of the entire online world and the highest levels of the
U.S. government.
- - -
The first attack started on a Monday morning. It was Feb. 7, 2000. Yahoo!,
one of the Web's biggest information portals and e-commerce
sites, was caught by surprise. The initial flood of data packets overwhelmed
one of Yahoo!'s main routers at speeds higher than 1 gigabit per
second, the equivalent of more than 3.5 million average e-mail messages
every minute. The router recovered, but then Yahoo! lost all
routing from one of its own major ISPs. Before long, the Yahoo! administrators
realized the problems were not the result of a random glitch.
This was a deliberate attack.
Yahoo! technicians noticed that a large number of their peering circuits
-- the major national ISPs with which they share data -- were
unwittingly taking part in the attacks. In fact, one of the traces led
the technicians right back to one of their own computers. This was a
highly distributed attack that used many computers as pawns, better known
as zombies, in the attack. And a highly sophisticated hacker or
group of hackers was likely responsible, according to Yahoo! experts. Who
else could have been responsible for such a massive
denial-of-service attack?
It was clear Yahoo! was dealing with a hacker who knew what he was doing
and who took the time to learn about his target and plan the
attack. There was no way that what Yahoo! administrators were witnessing
was the work of a kid who wanted simply to find out whether the
scripts he had downloaded from the Internet actually worked. This attack
was the work of a pro, who probably had help. By the time it was
over, the Yahoo! attack alone would involve enough data to fill 630 pickup
trucks with paper.
Later that night, Bill Swallow of the FBI's Computer Intrusion Squad poured
himself a cup of coffee, sat down at his computer and prepared
for another long night of mostly meaningless chat sessions with mostly
insignificant teenagers. Acting as channel operator on one of the IRC
channels frequented by hackers, he noticed that somebody with the nickname
Mafiaboy had popped up. Swallow had exchanged words with
this loudmouth "script-kiddie" before.
Tonight, Mafiaboy was bragging about his "skilz." The members of the chat
room grew so tired of his claims he had pulled off a major hack
that Swallow booted him out of the chat room.
Shortly after 9 a.m. on May 8, Buy.com, an online retail store, issued
investors its initial public offering of stock. At 10:50 a.m., system
administrators were battling a massive denial-of-service attack involving
800 megabits per second of incoming data, more than twice the
Web site's normal load. The attack threatened to keep the retailer off-
line indefinitely. Later that afternoon, eBay and Amazon.com reported
significant outages of service.
When Swallow came on duty that evening, he was again confronted with Mafiaboy.
By this time, Swallow was aware of the situation on the
Internet and was hoping to find leads. Mafiaboy once again claimed responsibility
for the attacks. But there was no way Swallow or the
other hackers on IRC that night were about to fall for that. That's when
Mafiaboy put a challenge to the rest of the IRC members.
What do you want me to hit next? he asked. Swallow and the others ignored
him. This guy ranked at the top of the "bogometer" -- or bogus
meter -- they said. Then somebody suggested CNN and E-Trade might be good
targets.
Within minutes, CNN's global online news operation, as well as 1,200 other
Web sites that CNN hosted, started to grind to a crawl. By the
following day, Datek and E-Trade, online stock-trading companies, entered
crisis mode with sporadic outages of Internet operations. Slowly,
it became clear that dozens of computers had been hijacked and used in
the attacks. Vulnerable computers at the University of California in
Santa Barbara, the University of Alberta and in Atlanta and Massachusetts
had been turned into zombies -- as many as 75 computers around
the world. The intruder had planted malicious software on these systems
that had turned them into autonomous launching pads for
denial-of-service attacks.
This was a crisis that many experts had been warning about for years. Nothing
less than the public's confidence in the future of the Internet
economy was at stake.
- - -
Jill Knesek of the FBI's Los Angeles field office was in a hotel room in
rural Alabama, where she had been serving a search warrant against a
hacker the FBI had ensnared, when the phone rang. It was her boss, Charles
Neal.
"We've got a major problem on our hands," he said. "A hacker is hitting
all of the major ISPs and e-commerce sites, from Yahoo! to Amazon
to CNN."
Knesek immediately hopped on the Internet to find some leads. She had worked
undercover posing as a teenage hacker for a few months
before taking over the co-ordination of the operation. But there was only
so much she could accomplish from Alabama. Leads were still hard
to come by. And by the end of the week, she was back in the L.A. office.
Neal decided early on the L.A. office would attack the investigation from
an intelligence perspective. Other FBI field offices were going to
approach it from a technical standpoint. But Neal knew he had the best
sources of intelligence the hacker underground could offer. That was
the point of the undercover operation he had been running for the past
year. Eventually, a combination enabled the FBI and the Canadian
police to home in on the real Mafiaboy.
Within days of the first attacks, false confessions started pouring in.
Dozens of calls a day had to be fielded and dozens more appeared on
the Internet via IRC chat rooms.
Information continued to pour in to the FBI from the victim companies.
The major networking companies, along with Exodus
Communications, Inc., which provided Internet services for some of the
big-name companies that had been hurt by the attacks, had started
to crunch through router logs and were beginning to piece together a picture
of what hosts had talked to each other during the attacks. A
portrait of the real hacker was emerging.
On Feb. 12, Dell Computer Corporation reported its systems had been hit
with a barrage of Internet traffic. Once again, Mafiaboy went
online and claimed responsibility. On a chat room, he said he would put
his computer "in the fireplace." In fact, he threw his hard drives into
a lake.
For the next two days, Neal and his team of FBI experts scoured the Internet
for clues to Mafiaboy's identity of the hacker known as
Mafiaboy. On Feb. 14, they found a Web page, www.dsupernet.net/ ~mafiaboy,
which belonged to a Canadian user of Delphi Supernet.
Shortly thereafter, evidence came in that linked the Dell attack to an
Internet account with an ISP in Montreal called Totalnet. The FBI now
had two pieces of evidence pointing to a Mafiaboy in Canada.
A third piece of critical evidence was the data from the initial attacks,
which had been preserved at UC Santa Barbara. The administrators at
the university produced a copy of the attack tool used, which was registered
to a user named Mafiaboy. The tool's author had given this
warning to all the hackers who downloaded it:
"WARNING: Using this program on public networks is HIGHLY illegal and they
WILL find you and put you in jail. The author is no way
responsible for your actions. Keep this one to your local network!"
- - -
The FBI called the RCMP on Feb. 14, because they needed help in catching
a hacker named Mafiaboy, whom they suspected was living
somewhere in the Montreal area. The RCMP immediately agreed to help. That
was the beginning of Operation Claymore.
Marc Gosselin was appointed the lead investigator charged with tracking down Mafiaboy.
The next morning, Feb. 15, Gosselin executed a search warrant for the systems
at the Delphi Supernet and Totalnet offices in Montreal. He
discovered three e-mail accounts registered to a Mafiaboy:
mafiaboy@dsuper.net
mafiaboy@total.net
pirated_account@total.net
Though Gosselin had discovered accounts with the Internet handle Mafiaboy
attached to them, this didn't mean those accounts belonged to
the guy Gosselin was looking for. One of the e-mail messages discovered
had an Internet protocol address linked to it, but it turned out to
be a hacked account that belonged to a real estate broker: pirated_account@total.net.
This account would later be identified through phone
tap and trace correlations to Mafiaboy's residence. He'd obtained the unsuspecting
couple's account password and was dialing in and using
the account from his house.
Once again, Gosselin started the tedious process of poring over account
information and cross-checking telephone numbers, credit card
numbers and names on accounts and mailing addresses. Everything was different,
nothing matched up -- except for one phone number. It
was the phone number that most ISPs and credit card companies ask their
customers to provide as an alternative contact number. That
number looked familiar to Gosselin.
He did a search for addresses against that phone number, and the search returned a match for an address Gosselin recognized.
Gosselin rifled through his old files looking for a lead. One of the first
was the one from the hacker incident at the Oregon ISP, Outlawnet.
The address and telephone number matched the address and telephone number
of the suspect in the Oregon ISP case.
Bolstering his suspicions were a series of complaints the ISP had collected
over the years about the users of this account. It seemed others
had already fallen victim to a hacker who had been traced back to the Delphi
Supernet account.
The only reason Gosselin had not busted Mafiaboy months ago was the lack
of evidence. Had he been able to prove probable cause, he
would have put a wiretap on the house in December.
By Feb. 16, word of Gosselin's success in tracking down a solid lead was
passed to the FBI. Plans were being made to obtain legal authority
to install dialed-number recorders (DNRs), commonly known as pen registers,
on the telephone lines leading into and out of Mafiaboy's
home. A DNR is the equivalent of a caller ID system that tracks all outgoing
calls made from a suspect's telephone to show that the suspect
is communicating with known criminals -- or, in this case, with known ISPs.
DNRs are a critical tool investigators use to locate accomplices
and, if necessary, to demonstrate the need for full wiretap authority.
The DNRs on Mafiaboy's telephones were in place on Feb. 18, when the FBI's
Jill Knesek arrived in Montreal. But DNRs have their limitations.
You can't capture voices with DNRs, only phone numbers and dates and times
of calls. But the RCMP's tactics were about to change.
- - -
Within four days of the setup of the DNRs, investigators discovered another
Totalnet account registered to Mafiaboy. This time, however, the
account belonged to the company owned and operated by Mafiaboy's father.
Despite the cancellation of the previous accounts two years
earlier, it was now obvious Mafiaboy had multiple ways of connecting to
the Internet and identifying himself to others. There were hacked
accounts, legitimate accounts and accounts that ostensibly belonged to
family members. Though the RCMP had narrowed down the search to
a single residence, a major challenge still lay ahead.Who was sitting in
front of the computers during the attacks? Again, Gosselin and the
FBI were confronted with a dilemma: Move in too soon and the case would
collapse. Mafiaboy would go free.
On Feb. 25, the FBI and the RCMP obtained a court order to intercept all
private communications of Mafiaboy and his immediate family.
That meant a full-blown wiretap and a massive data-collection operation
focusing on all telephone conversations and computer and Internet
activity that took place in the house. They would have 60 days to collect
all the evidence they needed before they would have to reapply for
the court order.
Data interception operations began on Feb. 27. Totalnet created a preset
range of IP addresses to be used only for Mafiaboy's suspected
accounts, enabling investigators to focus closely on his activity. Data
interception servers were set up at the ISP as well. The information
began pouring in immediately. Each day's capture was reconstructed using
proprietary software developed by the FBI. The job of collecting,
managing and analyzing the deluge of information fell to Currie.
As the head of the RCMP's Computer Investigative Support Unit, Currie actively
monitored all Internet activity originating from Mafiaboy's
residence and sifted through it for clues that would help investigators
build a case against the teenager. As Currie would soon find out,
capturing the data is the easy part. The tough part comes in separating
different activities, such as Web surfing, online gaming and e-mail,
and then trying to decipher with whom Mafiaboy might have been communicating.
On Mafiaboy's active days, he often operated until 3 or 4 in the morning.
Currie set up his system to conduct the daily download of raw data
intercepts shortly after 4 a.m., when Mafiaboy was known to quit for the
night. When the operation ended 43 days later, Currie had
collected 7.6 gigabytes of raw data.
Most of Mafiaboy's online activity involved Web surfing, online gaming
and boisterous IRC chat sessions. During one session, agents watched
him in real time as he attempted hacks and had to retype commands three,
four, or five times before he got them right. In addition, he
always seemed to be accessing accounts using log-ins and passwords that
other hackers had given to him.
- - -
In March, Mafiaboy's father installed a digital subscriber line from Sympatico-Lycos,
Inc., one of Canada's major ISP and Web hosting
companies. On March 16, data interception operations on the Sympatico DSL
modem started.
There was so much data to capture that Currie set up a mini-lab in the
basement of his home so he could conduct downloads in a more
timely manner, as well as watch his kids from time to time from his RCMP
office through a digital video camera. One night, Currie and an
FBI colleague saw a flurry of traffic going into and coming out of Mafiaboy's
residence. Currie and the FBI agent immediately thought they
had another denial-of-service attack on their hands. That was a possibility
the agents had been facing all along. Figuring out how to conduct
an investigation while at the same time trying to prevent another round
of attacks was a big task.
Currie yanked a few of the data packets from the stream and made a live
copy to analyze. If you know what to look for, you can learn a lot
from the raw data packets. If it's HTML, or Web traffic, you can tell that.
And although it's more difficult, you can also tell if it's e-mail. Ten
minutes passed and Currie's anxiety grew. Then, all of a sudden, they noticed
data packets containing messages such as "I'm going to kill
ya," "Death God" and the like. Mafiaboy wasn't in the midst of another
denial-of-service attack against major e-commerce Web sites: He
was playing an online game called Starcraft, a real-time strategy game
that pits three races against one another in an intergalactic war.
Then Currie watched him tinker with some of the hacker tools he had used
in the original attacks in February. But just when the teenager
looked like he was getting back on track with his hacking activities and
possibly starting to learn something, Currie noticed, on March 21,
that he had launched a limited ICMP attack against himself. Kids. They
never seem to learn.
Mafiaboy's ineptitude didn't surprise investigators. School had never been
high on Mafiaboy's priority list. Classmates and school
administrators describe the computer whiz kid as somebody who had been
repeatedly suspended for discipline problems. In fact, before his
arrest, Mafiaboy had reportedly been suspended twice from school. After
his arrest, he violated the terms of his bail by getting suspended
upon his return to school. Classmates and teachers recounted incidents
where the teenager talked back to his English and math teachers
and banged his fists on his desk out of frustration. He rarely showed up
for class with his books or with completed homework assignments.
Mafiaboy had a real attitude problem, one fellow student said in April
after the hacker's arrest.
Mafiaboy preferred to dress in baggy pants, baggy jacket and Nike tennis
shoes and he was often seen wearing a baseball cap in the
backward punk style of many teenagers. In contrast to those who said he
was a normal kid, other friends said he hung out with the tough
kids at school, smoked cigarettes, got a lot of play with the girls and
was generally a troublemaker.
This wasn't his first school. He had been thrown out of another because
of discipline problems. And at the new school, students were
required to wear uniforms. No sneakers, running shoes, black jeans, black
Palazzo pants, sweatshirts, or boots of any kind were allowed.
These details would not emerge until after agents had taken Mafia-boy into
custody. Before that, however, the RCMP was learning other
critical details about Mafiaboy's home life. The teenager's choice of hacker
nickname was no accident, Knesek later recalled. "He didn't pull
the name Mafiaboy out of the air."
- - -
It was April 15, 43 days into the wiretap and data interception operation,
and a clearer picture of Mafiaboy had emerged. The wiretap
proved to be the critical tool in the investigation that enabled investigators
to link Mafiaboy to the technical evidence. His guilt and the fact
that he had acted alone had also been well established. The RCMP still
needed, however, to be absolutely positive about who was sitting in
front of the computer.
Mafiaboy appeared at his sentencing hearing in June, 2001 wearing baggy
pants and a blue dress shirt, untucked and sloppy. A
court-appointed social worker tasked with interviewing the teenager and
his family told the judge that "not only is he not taking full
responsibility for what he did, he's still trying to justify that what
he did was right." A 16-page report submitted by the court expert concluded
that Mafiaboy had lied when he said that he was only trying to test the
security of theWebsites he attacked. If that were true, argued the
social worker, the attacks wouldn't have lasted as long as they did.
The social worker later recommended to the judge that Mafiaboy receive
five months in closed custody for his crimes because the teenager
posed a moderate risk to hack again. Mafiaboy's mother responded to her
son's prosecution by telling the judge she felt she might have
been too strict on the boy when he first showed signs of an obsession with
computers, but that his father was not strict enough in supervising
and guiding him.
Though a defence criminologist testified that Mafiaboy had clearly taken
responsibility for his crimes and had accepted his guilt, the
prosecutor, Louis Miville-Deschenes, used reports from teachers and school
administrators who knew Mafiaboy to paint a picture of a
troublemaker who craved attention.
On Sept. 12, 2001, the judge slapped Mafiaboy with an eight-month sentence
in a juvenile detention centre. The maximum sentence he
could have received was two years. The judge also prohibited him from possessing
any software not commercially available and banned him
from using the Internet to talk with other hackers and hacking into any
other Websites. He also ordered Mafiaboy to tell authorities the
name of his Internet service provider.
Tracking Mafiaboy (Part 2 of 2)
Dan Verton
National Post
By this time, Mafiaboy had turned 15 and his older brother had recently
celebrated his 18th birthday. If it turned out the older brother was
responsible, he was now an adult and could be charged as an adult.
Gosselin and Knesek had pictures of the family, but the ages of the
brothers were close enough that it was difficult to tell who was talking
on
the telephone. Sometimes the agents had to listen closely to what the
boys were saying to figure out which brother was talking. They had
similar likes and dislikes and both talked about girls.
They talked about Mafiaboy, too, and that proved to be a key piece of
evidence pointing to the younger brother. In addition to capturing the
teenage hacker's voice talking about the fact that he had conducted
various hacks, the investigators also captured his older brother bragging
to friends about his younger brother's hacking exploits. At one point,
the
brother bragged about how his little brother was all over the news, a
clear reference to the February denial-of-service attacks.
Mafiaboy's father also found his son's hacking accomplishments impressive.
But the businessman would rather have
avoided the type of attention the attacks had brought, according to investigators.
He had other problems and the
attention of law enforcement was not what he needed at the moment.
The father's plans included hiring a hit man to assault a business associate
because of a dispute over a $1.5-million
business transaction. He later received the equivalent of a slap on the
hand for what Gosselin and Knesek feared could
have been a plot to commit murder.
For 43 days, Gosselin had resisted the temptation to storm in and confiscate
the teenager's computers and had every
intention of continuing the wiretap for the entire 60 days he had been
authorized to run it. But now, the RCMP had
evidence the boy's father was conspiring to really hurt somebody. The plan
was all set. Tonight's the night, the two men
could be heard agreeing on the telephone. Investigators had to move in.
Police raided the house at 3 a.m. on April 15. All they found was a surprised
and bewildered father, the stepmother and
Mafiaboy's two brothers. Mafiaboy was nowhere to be seen. They took the
father into custody and were informed
Mafiaboy was staying at a friend's house. When RCMP agents arrived at the
friend's house, Mafiaboy was standing outside
on the curb, fully dressed and relaxed. He looked as if he was waiting
for a bus or hailing a taxi.
Knesek recalls the wiretap and a portrait of a dysfunctional family. There
were padlocks on the doors of the brothers'
bedrooms. Mafiaboy "saw a lot, dealt with a lot, took a lot," recalled
Knesek. Neither Mafiaboy nor his father considered
what Mafiaboy was doing illegal or harmful, she says.
- - -
When investigators picked apart the teenager's computers, they found no
technical evidence linking him to the attacks.
Mafiaboy's hard drives and any other evidence he may have had lay somewhere
at the bottom of one of the many lakes,
rivers, and tributaries that weave in and out of the Montreal area. Without
the wiretap and the original evidence captured
by UC Santa Barbara administrators and others, the Mounties would not have
had a case.
Mafiaboy pleaded guilty in youth court to dozens of charges related to
the February attacks. The one charge he refused to
plead guilty to was the attack against Outlawnet in Oregon. I didn't do
it, said Mafiaboy. The RCMP suspect one of his
brothers was responsible.
But pleading guilty was all Mafiaboy did. He wasn't talking. Gosselin tried
repeatedly to interview the teenager to find out
why he did what he did, what his motivations were, if there had been anything
pushing or forcing him to conduct the
attacks. The one and only time Gosselin and other investigators had a chance
to interview Mafiaboy, his lawyer was
present. The Montreal hacker had decided he was going to take his chances
and hope the court would believe his
contention that on Feb. 7, 8, 9, and 10, and again on Feb. 12, he was simply
running tests that would have enabled him to
design and build a new and improved firewall device.
There were a few holes in Mafiaboy's story. First and foremost was the
fact that his so-called tests lasted for six days. In
addition, the hacking tool he had downloaded and used came with an explicit
warning that it was illegal to use the tool
against another computer network and that it was not designed to collect
statistics or information that could be used to
build a new firewall.
This article is adapted from The Hacker Diaries: Confessions of Teenage
Hackers, published by McGraw-Hill.