Michael Calce says he knew he was in trouble when Bill Clinton called a press conference.
It was 2000. A denial of service attack had paralyzed several major web sites, including Yahoo and CNN. The U.S. government was getting seriously concerned. The big guns were called out. The FBI and – as the attacks were traced to Canada – the RCMP were on the trail of the criminal responsible.
Michael Calce – better known as Mafiaboy – was that person. He was a 16-year-old from Montreal who had got his first computer when he was six, became curious about hacking when a stranger “punted” him off AOL, and proceeded to dig deeper and deeper into the dark side of computer hacking, without really considering the consequences.
He had plenty of time to think the consequences through after he got caught, when he spent six months in reform school and a period on probation during which he wasn’t allowed to go online.
Now Calce, who was the keynote speaker at this year’s IT360 show and conference in Toronto, says he has abandoned the dark side. He’s a computer security consultant – a white hat, as they say in the security business. His opinions on security are instructive.
First off, he says he rarely buys anything online and doesn’t even like to use a debit card, because he doesn’t trust the security of online banking and payment systems. Does that make you nervous? It certainly makes me think twice. (And when I repeated the comment on Twitter just after the keynote, I got one response from an ex-IT security type who agreed with Calce.)
Calce repeated the oft-heard comment that computer crime has changed from largely a matter of hackers seeking technical challenges to one of criminals motivated strictly by money. He would see it that way, of course, and it’s probably at least somewhat true, though surely those breaking into computers have always had a number of different motives.
He also suggested that kids need some computer security education – something a bit akin to sex education aimed at stopping the spread of sexually transmitted diseases, as keynote interviewer Craig Silverman – a journalist and co-author with Calce of last year’s book Mafiaboy: How I Cracked the Internet and Why It’s Still Broken — suggested.
Maybe Calce’s most interesting point, though, was a throwaway remark during the question period. “The thing is that I think we’re advancing too quickly for our own good,” he said. He argues that new information technologies, online services and so on are being brought to market without enough thought about the security risks and how to address them.
“Obviously, there’s not enough debugging,” he says. I’ve been saying that for years — in the context of usability and reliability more than security, but it’s the same basic problem. In the rush to get things to market, developers cut too many corners, and that comes back to bite us later in many different ways.
Calce doesn’t think the online security problem can really be solved without essentially rebuilding the Internet from the ground up with more attention paid to security. Chances are, that’s not going to happen. The best we can hope for is some serious efforts to improve the security of what we have – and more attention to security in future development.
“Obviously, there’s not enough debugging,” he says. I’ve been saying that for years — in the context of usability and reliability more than security, but it’s the same basic problem. In the rush to get things to market, developers cut too many corners, and that comes back to bite us later in many different ways.
Calce doesn’t think the online security problem can really be solved without essentially rebuilding the Internet from the ground up with more attention paid to security. Chances are, that’s not going to happen. The best we can hope for is some serious efforts to improve the security of what we have – and more attention to security in future development.
**Exclusive IT World Canada video of Calce’s presentation to IT 360.
Part one of two:
Part two of two: