CWC View: It's still the Wild, Wild West

By: ComputerWorld Canada staff - ComputerWorld Canada (21 Nov 2008)

Some of you might know the name Michael Calce, but most of us will remember his alter ego, Mafiaboy, for a long, long time.

Mafiaboy was the subject of a North American “manhunt” — he was 15 at the time — before authorities traced the source of a massive denial-of-service attack to Calce’s father’s Montreal home in 2000.

Calce faced nearly 70 charges in connection with incidents in which he brought some of the world’s leading e-commerce and media sites — Yahoo, CNN.com, E-Trade and Amazon among them — to their figurative knees.

While the story-telling can be a little hackneyed at times, the book, called Mafiaboy: How I Cracked the Internet and Why It’s Still Broken, is fascinating for the insight into exactly how easy it was for Calce, once he’d assembled his network of compromised servers, to bring the Web sites down.

“(A) few fingers should be pointed at the e-commerce giants for the lax security that made the mischief so easy to carry out,” observes a confidential newspaper source at one point.

There’s another side to this story that isn’t getting told. We’re eight years on from the attacks, and it’s time to take stock. Is the Net any safer now than it was then?

Edward Amoroso, security chief for AT&T Inc., told our sister publication, Network World Canada, that “maybe 95 out of 100 (enterprises) probably don’t have sufficient protection” against denial-of-service attacks. Calce’s attacks brought down the majors with about 1Gbps of traffic; while the pipes in general have gotten bigger, Amoroso figures most company gateways could be brought down with a 3Gbps attack.

Read more

Visit IT World Canada's Security Knowledge Centre

Calce and his ilk hacked for reputation, for the love of the game, for control. (Calce writes his attacks on the e-commerce majors were simply tests of tools designed to bring down IRC channels at will.) As many observers have pointed out, black-hat hacking is increasingly a money-motivated pursuit. A study shows the Storm botnet, used to deliver spam and malware, could be generating as much as $3.5 million a year in revenue for its operators.

If we’ve made any progress at all, it’s in quantifying the damage. Estimates of the economic damage associated with Calce’s attacks were entirely hypothetical; they varied widely and were likely wildly inflated for effect. With the bad guys focusing on identity theft, it’s easier to establish how much money is being lost, rather than calculating the hypothetical value of Web site downtime.

Back in the day, we talked about the Internet as the Wild, Wild West, a lawless land we had to bring order to. It’s difficult to argue that much has changed.