Book Excerpt: Mafiaboy

Written by Michael Calce and Craig Silverman

Mafiaboy, published by Random House Canada. Find out where to purchase the book.

February 7, 2000, was a Monday. A school day. I normally hated getting up in the morning for school because I was usually up until 2 or 3 A.M. working on Rivolta and chatting on IRC. That day, however, I was up early and making final preparations for my strike against Yahoo!. This wasn't going to be just another of my typical attacks against a fellow hacker. I had therefore programmed everything to launch while I was away from the computer. That way, I thought, I could say I was at school if other hackers-or the police-asked me about it. But the truth is that I expected the Yahoo! attack to fail. My idea was to see how Yahoo! defended itself and then adapt and improve my plans. I knew I had created something powerful but had no idea of its true force. I planned to come home, read the logs of what happened, and then make changes so my real targets couldn't beat me back.

In retrospect, I see that I had no clue as to the potential impact of what I was doing. At the time,Yahoo! had one of the biggest websites and networks on the web. It was also a multibilliondollar company that was seen as a bellwether of the technology industry. The dot-com boom was still in force, and Yahoo! was one of the biggest success stories. I should have seen that any kind of attack against Yahoo! would have been big news, even if it failed. But those factors didn't register in my mind. I had built something remarkably powerful and wanted to put it to the test.

I was a kid with a new toy.

I made my final preparations and headed to school, already contemplating what I might discover when I returned home. testifying at a congressional hearing in Washington in June 1991, computer security expert and author Winn Schwartau said,"Our computers are so poorly protected they can essentially be considered defenceless. An electronic Pearl Harbor is waiting to happen."

Since that moment, the threat of a large-scale electronic attack had become a focus for defence and information experts.A July 1995 Washington Post article about terrorists or other enemies using cyberwarfare to attack the United States' information infrastructure was headlined "The Pentagon's New Nightmare: An Electronic Pearl Harbor." Two years later, Deputy Secretary of Defense John Hamre testified at a congressional hearing."We're facing the possibility of an electronic Pearl Harbor," he said. "There is going to be an electronic attack on this country some time in the future."

Those warnings were largely specific to national defence, but the internet had grown to such an extent that by 1999 it was an integral part of the U.S. economy. An attack on major e-commerce giants could have a significant effect on the economy.The internet was woven into every facet of life in North America and around the world. People were beginning to upload their personal information and details about other aspects of their lives.They were banking online, doing business online, living their lives online. If something happened to show that some of the largest and most respected internet companies were vulnerable to attack, consumers could lose confidence in the internet and begin to pull back.This could have major economic repercussions.

But these realities were far from my mind as I planned Rivolta. What fifteen year old thinks about the economic interests of the United States? I had an innovative new attack I wanted to unleash on IRC, and naively decided to venture out from the cover of that part of the internet to test my capabilities. I had no intention of claiming the Yahoo! attack as my own. As I say, I thought I could run my test, learn what worked and what didn't, and move on with my plans. If someone came asking, I would say I was at school during the attack. It seemed like a reasonable plan at the time. Needless to say, I was wrong.

At 10 a.m., i was in school, as planned. I moved from class to class, my thoughts fixed on the attack. Along with planning the time of the attack for ten o'clock, I had programmed a series of tests to run in the background. These would enable me to see how Yahoo! was affected, how it defended itself, and what the overall results were. More than anything, I was excited to pore over the data and get back to work on my bigger plans. It never occurred to me that while I was sitting in class, system administrators at Yahoo! would be frantically trying to keep their sites and network online and accessible to the millions of people who visited them every day. Having never expected that result, I floated through the school day as chaos erupted in Yahoo!'s offices.

According to media reports, Yahoo! began experiencing serious problems at about 1 P.M. EST that day. Soon after that, its website began to grind to a halt. People typing "yahoo.com" in their web browsers were largely unable to access the site. Others were unable to access their free Yahoo! email accounts.Yahoo! was being hit with a barrage of packets emanating from multiple places—just as I had intended. This was a distributed denial-ofservice attack on a massive scale. It qualified as a mass distributed denial-of-service (MDDoS) attack.

"Monday's [Yahoo!] failure drew renewed attention to the risks facing the fledgling world of electronic commerce, where hackers can shut down even the largest online stores," reported the Associated Press on February 7. "It basically says nobody is safe, if Yahoo! can be taken down with all the resources behind them," Elias Levy, chief technology officer at SecurityFocus.com, a respected computer security website, told the Associated Press.

Arriving home just before 4 P.M., I discovered that Yahoo! had been knocked offline. In fact, I was unable to access its website. It was still down! I sat in front of my monitor, frozen in a state of shock.This was not at all what I had expected. I combed through my reports to see what had happened. It almost seemed too easy. I had expected to fail and learn from that experience. But Yahoo!, one of the giants of the internet, had seemingly crumbled due to my attack.

Although Yahoo! was back at full strength within the hour, its failure had raised a question in my mind:Was my attack that good or were Yahoo!'s defences that poor? Some experts believed it was the latter.

"It's kind of silly it took so long [to defeat the attack]," James M. Atkinson, president and senior engineer at Granite Island Group, an internet security consultancy, told the Associated Press. "The fact [the attack] went on for hours indicates a management and infrastructure problem that does not involve technology.This should have taken [Yahoo!] off the map for fifteen to twenty minutes, thirty at the most."

Meanwhile, the National Infrastructure Protection Center issued a statement saying that it was "highly concerned about the scale and significance of these reports."

I wasn't reading any of the media reports. I didn't usually watch the news or read newspapers. The news sources I cared most about were phorce.net and the community of people who populated the hacking channels on IRC.As the mainstream press and computer security community engaged in speculation about what had happened, I logged on to IRC to see what my peers thought.

I wasn't surprised to see the Yahoo! attack generating a huge amount of chatter, but it was funny to see other people claiming credit for it. Even someone in the private TNT chat room stepped up and said it was he who had launched the attack. I thought this wasn't such a bad thing and was happy to let others face scrutiny for now. (Although many subsequent media reports claim I boasted about taking down Yahoo.com that night, I don't recall doing so.)

I felt overwhelmed by what had happened, what I'd achieved. I couldn't help but see it as an achievement. I felt as though the huge amount of bandwidth under my control was now coursing through my veins, as if I now embodied the networks I controlled. I lay relatively low on IRC that night and didn't do much work on Rivolta. The entire experience was so draining that I crashed and went to bed early for the first time in months.

From Mafiaboy by Michael Calce with Craig Silverman. Copyright Michael Calce and Craig Silverman, 2008. Reprinted with permission of Penguin Group (Canada).

Find out where to purchase the book.