On the trail of Mafiaboy
The FBI's hacker hunt has turned into a search for a 15-year-old Montreal phreak
by Philip Preville.

[hacker] Last Wednesday, the Mirror received an unexpected visit from a man claiming to be a close relative of Mafiaboy, the Internet hacker currently sought by the FBI in connection with the recent shutdowns of high-profile Web sites cnn.com, amazon.com, e-Bay, and others.

The man appeared genuinely scared. "I'm freaked out for Mafiaboy", the man said. "The police will be knocking on his door soon. It's only a matter of days."

The man refused to reveal either Mafiaboy's identity or his own. But he did provide some information to back up his claim: he said Mafia-boy lived in Montreal (at that point, news reports suggested only that Mafiaboy was "Canadian"), and his server was Delphi Supernet (dsuper.net), now called Internet Direct, a subsidiary of Toronto-based Look Communications Inc.

Sure enough, the next day, news reports stated that the FBI and the RCMP had served a warrant to Look's Montreal office to get Mafiaboy's account information.

The Mirror's visitor was concerned for himself as well. He and Mafiaboy had done some hacking together in the past, though nothing on the scale of the high-profile DoS (Denial of Service) attacks that happened on February 7 and 8. But he said Mafiaboy has the brains to pull off such an attack on his own.

He has reason to be concerned. As FBI and RCMP agents continue to search for three hackers (with the handles Mafiaboy, Coolio and Nachoman), the e-commerce community is out for blood. "They will try to make an example of whoever did this", says Martineau Walker law associate Sunny Handa, a renowned North American expert on Internet law. "In Canada, he or she can be tried under the criminal code and sued for damages. In the U.S. there are also criminal trials and civil rights of action, possibly in many states. That probably means extradition proceedings as well." In Canada, section 430 (1.1) of the Criminal Code says anyone who "obstructs, interrupts, or interferes with the lawful use of data" is guilty of mischief, an indictable offense punishable by up to 10 years in prison.

But as for Mafiaboy's anonymous relative, well, he thought a few fingers ought to be pointed at the e-commerce giants for the lax security that made the mischief so easy to carry out. "There's another side to this story that isn't getting told", he said.

A pawn in the game
Whether the man was lying about his Mafiaboy connections or not, he has a point: DoS attacks are easy to execute and far less serious than people have been led to believe.

When news of the DoS attacks first broke, there was much ballyhoo over the millions of dollars that had been lost due to the crashing of the high-profile sites. And yet, if you ask the companies themselves, none of them ever "crashed" and none admit to "losing" any money.

"We suffered impaired service for two hours on February 7", Edna Johnson, spokesperson for CNN Interactive, told the Mirror. "We never crashed, we never stopped updating our content. It was just difficult for people to get through to us."

Ditto for Amazon.com. "On February 8, we had degraded service for one hour", said spokesperson Patty Smith. "People who were already on our site were able to complete their transactions. No credit card numbers were stolen. No one broke into our databases. We merely had a traffic jam."

Smith also says Amazon.com doesn't claim it has lost any money. "We don't know where those 'millions of dollars lost' news reports came from, but they didn't come from us."

DoS attacks work by generating large amounts of bogus traffic to a single site; the software needed to carry out an attack is readily available on the Web. Most e-commerce sites have anti-DoS security software: by recognizing the patterns in the bogus traffic, they can shut that traffic out. The February 7 and 8 DoS attacks fooled the security systems by routing the traffic through many different servers.

How often do DoS attacks occur? CNN admits that such attacks aren't unusual, but Amazon.com is tight-lipped on the issue. "We can neither confirm nor deny that we've experienced attacks in the past", says Smith. "We don't talk about security issues."

The bottom line: DoS attacks happen all the time, but e-commerce sites don't want to admit it because it makes them look like a security risk. The only thing different about the February 7 and 8 attacks was that many sites were hit in a single day, so everyone looks bad together and they can initiate a very public witch-hunt for the culprit.

"The perpetrator, whoever he is, is a public relations pawn", says David Jones of Electronic Frontier Canada, an organization devoted to protecting privacy rights on the Internet. "Businesses want to make an example of someone, and law enforcement agencies are looking for bigger budgets to fight electronic crime. This situation serves everyone very well."

Bogus warrant?
Meanwhile, Jones says anyone who surfs the Web should be worried about how Internet service providers (ISPs) are cozying up to law-enforcement authorities on this case.

As Jones points out, many security experts have been quoted saying that Mafiaboy is probably not the perpetrator -- and that makes him wonder about the RCMP's warrant for information. "Handing over those kinds of details is an invasion of privacy", he says. The way Jones sees it, the RCMP shouldn't be able to get a warrant unless they have strong reasons to believe that Mafiaboy is responsible. "But they can put their experts in front of a 50-year-old judge who doesn't understand the Internet, and they can get their warrant."

Once the warrant was served, Look Communications had to comply or face obstruction-of-justice charges. But Jones smells a fish, because Look Communications refuses to discuss any details of the warrant. "They can at least say which court issued the warrant, and which judge signed it", says Jones. "If they can't tell us that, then I'm not sure that a warrant exists."

Look Communications vice-president Colin Campbell did not return the Mirror's calls by press time. Jones is also waiting for Campbell to call him back.

Explains Jones: "Usually, when the police get a warrant, they can go in to an ISP's office and take all their computers. But police aren't very sophisticated: they don't know what they're looking for, and it will take them weeks to find it. What the police really want is for the ISP company to do the work for them and just give them the information they want. And since the ISP doesn't want the cops to walk off with their computers, they often comply."

Mafiaboy's relative, however, says the information that Look Communications gave to the RCMP may not amount to much. "Mafiaboy has never paid a cent for Internet access in his entire life", he says.