A Q&A with MafiaBoy

When he was just 15 years old, Michael ‘Mafia Boy’ Calce managed to shut down several major websites including CNN, Dell, Amazon, Yahoo, eBay, and ETrade with a series of denial of service attacks. Now, more than a decade later, he talks about how the hacker culture has changed and what users can do to protect themselves.

How He Toppled the Web Giants

In 2000, Calce targeted CNN.com after another hacker claimed the site would be impossible to bring down because of its "advanced networks" and "huge traffic numbers." He managed to slow down CNN's site for nearly two hours.
Denial of service attacks involve bombarding a site or application with so many requests that the server is unable to keep up. Calce modified a denial of service attack written by another hacker and trained approximately 200 university networks under his control to a specific target.
The attack against Yahoo was by accident, Calce said. He had put in the IP addresses into the script, and then gone to school, forgetting the script was still running. He came home to find his computer had crashed, and didn't realize what had happened until he heard the news reports later.
His own activities, Calce admitted, were "illegal, reckless and, in many ways, simply stupid". He added that he really had not understood the consequences of his actions.

"It's So Easy It's Scary"

More than a decade later, it's easier to launch attacks now than it was then, Calce said. A lot of the companies are completely unaware that they are at risk, and that needs to change.
Back when he was actively targeting sites, you had to work and build your own arsenal of tools before launching an attack. Now there are hacker desktops and ready-to-use tools that anyone can download, install, and implement. "If you're interested and you want to be a hacker, you can be a hacker in 30 minutes", Calce said.

Different Mentality, Motivations

Calce and his fellow hackers were driven by curiosity and desire to understand how things worked. That is where the term ‘hacker’ originated, after all. A hacker refers to anybody interested in manipulating technology to do something other than its original purpose. "That's not necessarily a bad thing", Calce said. "At that point in time, everyone was running tests and seeing what they could do and what they could infiltrate", remembered Calce.

The current generation, however, is motivated by money, or desire to destroy. "It's much more about monetary gain, whereas we were pushing the status quo", Calce said, pointing out that even when there doesn't seem to be an obvious financial motive, that doesn't mean it isn't there.

Hacktivist groups such as Anonymous and Lulzsec are a "different breed", Calce said. While they have political motivations, some of them do also have malicious goals. They are not pure white-hat or pure black-hat, but more “grey-hat hackers”, Calce said. "I don't condone what they're doing, but I understand their point". He believes hacktivism will become a bigger phenomenon since people have “figured out how to use technology to fight back” and draw more attention to their cause.

Safe Security Online

With attack motivations shifting to monetary gain, the attack focus has also shifted, and individual users are just as likely to be targeted as large companies.
Users need to use strong passwords to protect their accounts. “They need to be long and complex. Password managers help keep track of strong passwords”, Calce said.
They should also think about installing personal firewall software on their computers to block malicious traffic. A firewall can also warn you when an application is trying to access the internet. If you are not using Bluetooth, it should be turned off so that other devices cannot connect to your computer.
And finally, users should beware of open wireless networks because it is incredibly easy to eavesdrop on what you are doing, and people don't realize this, Calce said.
Hacking will never go away, and users can take some steps to protect themselves, but ultimately, organizations need to invest in security to protect their end users, Calce concluded.